[Fwd: Re: Wireless Login Page]

[Fwd: Re: Wireless Login Page]

[Kirk Wallace]

[-- Attachment #1: Type: text/plain, Size: 1332 bytes --]

(This may be a duplicate message, KW)

Thank you for the replies Alex and Jan.

I set up a test system with two PC's. PC one has Apache httpd running on
it with iptables flushed, defaults set to accept all packets and is at
192.168.21.1 . PC two is simply a workstation at 192.168.21.10 . I can
get my default webpage by pointing the workstation's browser to
192.168.21.1 . I invoked "iptables -t nat -A PREROUTING -p TCP --dport
80 -j REDIRECT" on the http host. At this point I was expecting to point
the workstation's browser to 192.168.21.2 and get the default webpage,
but this returned "Unable to Connect".

It seems from the description of REDIRECT 
( http://www.faqs.org/docs/iptables/targets.html#REDIRECTTARGET ) that,
when the packet hits the PREROUTING table, it immediately gets sent to
localhost and presumably httpd. I am guessing here, but since httpd is
an application, the tcp/ip stuff gets stripped off (but the port number
stays?), so the fault must be in how Apache is set up? I am thinking,
did Apache receive the packet (maybe check the appropriate log file?).
Did Apache have a problem interpreting the packet it received (check
logs)? Or, may this be a situation where the server can't figure out
where to send a reply?

Thank you for any replies.

Kirk
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[-- Attachment #2: Forwarded message - Re: Wireless Login Page --]
[-- Type: message/rfc822, Size: 3591 bytes --]

From: "Alex" <alex@hackgod.org>
To: "Kirk Wallace" <kwallace@wallacecompany.com>, <netfilter@lists.netfilter.org>
Cc: 
Subject: Re: Wireless Login Page
Date: Fri, 27 Apr 2007 12:41:07 +0100
Message-ID: <00d501c788c0$f460c730$0a00080a@rhea>

You don't need contrack for the redirection part. I've achived the same 
thing on my router using -j REDIRECT

You could do it for only port 80 trafic, but I've done it for all traffic. 
You get some entertaining attempts from people trying to work out why they 
have a valid DHCP lease but now internet conductivity.

----- Original Message ----- 
From: "Kirk Wallace" <kwallace@wallacecompany.com>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, April 26, 2007 5:48 PM
Subject: Wireless Login Page


>I have a wireless card installed on Fedora 4 system. I have the wireless
> connection open, DHCP enabled and have disabled forwarding for the
> "open" network. I use Poptop and Radius to authenticate and assign IP
> addresses on the tunnel and then allow forwarding for the tunnel address
> range. I now want to have all http requests from the "open" network to
> be directed to a opening/login page on the wireless server. Can this be
> done with iptables (conntrack?)? Would anyone suggest links or keywords
> for finding more information? Thank you.
>
> Kirk
>
>
> 

Re: [Fwd: Re: Wireless Login Page]

[Daniel Lopes]

Kirk Wallace schrieb:
> (This may be a duplicate message, KW)
> 
> Thank you for the replies Alex and Jan.
> 
> I set up a test system with two PC's. PC one has Apache httpd running on
> it with iptables flushed, defaults set to accept all packets and is at
> 192.168.21.1 . PC two is simply a workstation at 192.168.21.10 . I can
> get my default webpage by pointing the workstation's browser to
> 192.168.21.1 . I invoked "iptables -t nat -A PREROUTING -p TCP --dport
> 80 -j REDIRECT" on the http host. At this point I was expecting to point
> the workstation's browser to 192.168.21.2 and get the default webpage,
> but this returned "Unable to Connect".
> 

Hi,

I don't really understand what you are trying. When your browser 
connects to 192.168.21.2 and there is no webserver running it will not 
be able to connect logically. Do you want to redirect traffic destined 
to 192.168.21.1 to 192.168.21.2 then -j DNAT --to-destination 
192.168.21.2 is your friend not -j REDIRECT. This will redirect all 
traffic to the local machine.

Wireless Login Page

[Kirk Wallace]

On Sat, 2007-04-28 at 19:45 +0200, Daniel Lopes wrote:
> Kirk Wallace schrieb:
> > (This may be a duplicate message, KW)
> > 
> > Thank you for the replies Alex and Jan.
> > 
> > I set up a test system with two PC's. PC one has Apache httpd running on
> > it with iptables flushed, defaults set to accept all packets and is at
> > 192.168.21.1 . PC two is simply a workstation at 192.168.21.10 . I can
> > get my default webpage by pointing the workstation's browser to
> > 192.168.21.1 . I invoked "iptables -t nat -A PREROUTING -p TCP --dport
> > 80 -j REDIRECT" on the http host. At this point I was expecting to point
> > the workstation's browser to 192.168.21.2 and get the default webpage,
> > but this returned "Unable to Connect".
> > 
> 
> Hi,
> 
> I don't really understand what you are trying. When your browser 
> connects to 192.168.21.2 and there is no webserver running it will not 
> be able to connect logically. Do you want to redirect traffic destined 
> to 192.168.21.1 to 192.168.21.2 then -j DNAT --to-destination 
> 192.168.21.2 is your friend not -j REDIRECT. This will redirect all 
> traffic to the local machine.

On Sat, 2007-04-28 at 18:32 +0100, Alex wrote: 
> TBH this site can explain -j REDIRECT better than I could.
> http://security.maruhn.com/iptables-tutorial/x10065.html
> 
> Is the machine thats doing the NATing the same as the one with the httpd? 
> This has to be the case for redirect to work as you require it. Other wise, 
> maybe you could use squid to proxy?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I was using 192.168.21.2 just to test whether httpd would respond to any
IP address sent on the 192.168.21.0/24 address space. 

I envision that a person would boot their wireless laptop and scan for
hotspots. They would see my hotspot and connect. Then my DHCP server
would give the laptop an IP address, subnet mask, gateway address, DNS1
and DNS2. Then the user would start firefox and try to open a link to
anywhere.com, but I have FORWARD denied to all but logged in users
(which have a tunnel IP address on another subnet). At this point, I
want the anywhere.com request to invoke the httpd on the wireless router
to reply with a login page. Currently dhcpd, httpd, radiusd and pptpd
are on the same PC.

I was looking at Chillispot to do this but it doesn't have some of the
features I want, and I could not find documentation that would allow me
to figure out how it works. I want an application that does just what it
needs to do, that I can understand and modify as my needs change.

I have used REDIRECT to allow a pcAnywhere connection to an internal PC
from the Internet, and I still get a kick that it works, but I was able
to get it to work without fully understanding how it works. (Does that
make me a script kiddie?)

Basic List question: 

I am used to reading a message from a list, then clicking the reply
button, typing a reply and clicking send, which sends the reply back to
the list. It seems here, that I need to cut and paste the message
history and reply to a new message addressed to the list address. Is
this the proper way to use this list?

Kirk

Re: Wireless Login Page

[Michelle Konzack]

[-- Attachment #1: Type: text/plain, Size: 1858 bytes --]

Hello Kirk and *,

Am 2007-04-28 11:43:27, schrieb Kirk Wallace:
> I was using 192.168.21.2 just to test whether httpd would respond to any
> IP address sent on the 192.168.21.0/24 address space. 
> 
> I envision that a person would boot their wireless laptop and scan for
> hotspots. They would see my hotspot and connect. Then my DHCP server
> would give the laptop an IP address, subnet mask, gateway address, DNS1
> and DNS2. Then the user would start firefox and try to open a link to
> anywhere.com, but I have FORWARD denied to all but logged in users
> (which have a tunnel IP address on another subnet). At this point, I
> want the anywhere.com request to invoke the httpd on the wireless router
> to reply with a login page. Currently dhcpd, httpd, radiusd and pptpd
> are on the same PC.

This is exactly what I want to do to.

But if the $CLIENT has gotten its DHCP-IP-Addressm then ANY
connections (any Ports except DNS and DHCP) nust be blocked
until the user has once started a Webbrowser and authentificated.

I was thinking, that if the $USER open a connection plus auth,
the connection will be droped for example 5 minutes after the
last traffic going over the Interface with the specified MAC/IP.

I have not found any examples ho to do this.

Would you like to share your config?

And speciay how you have setup your "fist-connect" page to auth?

Greetings
    Michelle Konzack
    Systemadministrator
    Tamay Dogan Network
    Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack   Apt. 917                  ICQ #328449886
                   50, rue de Soultz         MSN LinuxMichi
0033/6/61925193    67100 Strasbourg/France   IRC #Debian (irc.icq.com)

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]