From: Moritz Warning <moritzwarning@web.de>
To: netfilter@vger.kernel.org
Subject: Captive portal on a bridged interface
Date: Wed, 17 Jul 2013 00:21:16 +0200 [thread overview]
Message-ID: <51E5C75C.8020003@web.de> (raw)
[-- Attachment #1: Type: text/plain, Size: 1994 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi, I like to create a captive portal on a bridged interface.
Every approach I have used so far didn't work.
Let this be the setup:
sysctl -w net.bridge.bridge-nf-call-iptables=1
sysctl -w net.ipv4.ip_forward=1
ifconfig eth1 0.0.0.0
ifconfig eth2 0.0.0.0
brctl addbr br0
brctl addif br0 eth1
brctl addif br0 eth2
ifconfig eth1 up
ifconfig eth2 up
ifconfig br0 10.0.0.33 netmask 255.255.255.0 up
route add default gw 10.0.0.1
Clients are behind eth2 and can access the Internet
using a gateway somewhere behind eth1.
Every packet from an unknown client (by mac) need to be blocked
from accessing everything except DNS and 10.0.0.0/8.
HTTP-requests (Port 80) need to be redirected to
the local web server (the captive portal).
My best start so far is this:
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP
iptables -t nat -I PREROUTING 1 -p tcp --dport 80 -j DNAT --to-destination $br0_ip_addr
It seems to successfully redirect http requests to the local web server.
But e.g. adding ! -d 10.0.0.0/8 as an exception doesn't seem to work.
After reading a lot of documentation it still leaves my head spinning.
Can anybody give me a few hints what rules I do need?
For what it is worth, the system is OpenWrt. :-)
Thanks,
mwarning
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJR5cdcAAoJECHrh56PP4wpWXgH/0gUSVjJ1jPezokX+hys8DW8
lq85qskT8CohyXPiOlM0Uzx4K0MCzKDEDiHbOKcK1yYwH1AEZx78GKg9omuTxWir
WCm0LeIzea3GD68Ucg0X9naYKPd+6yoSKebCJxQWdxdYrlElQITo07syHWaXfhX6
Na5Sz8J502n0yAOU4gTfGbamiC3gKwIUL4EMNTXQl1D8M0DZlRVx9J3AZTd7mk/4
Mk4U/HBiEoalDC4FMOJqA3Lutk+/oquRoYeQMT9uKu23KYwZ1TDtjsw2v1MGiveI
kWqiZ7VnNcWRLAbrneRThRnGBIF+USHhHKew66pY78qbTLmp/barr9LeEWsTZ0w=
=NiFo
-----END PGP SIGNATURE-----
[-- Attachment #2: 0x8F3F8C29.asc --]
[-- Type: application/pgp-keys, Size: 1739 bytes --]
[-- Attachment #3: 0x8F3F8C29.asc.sig --]
[-- Type: application/pgp-signature, Size: 287 bytes --]
reply other threads:[~2013-07-16 22:21 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51E5C75C.8020003@web.de \
--to=moritzwarning@web.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox