Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
K
K
korsamc2018-09-24 18:28:34
linux
korsamc, 2018-09-24 18:28:34

Iptables rules for captive portal?

There is a wifi router on the wealan, I can’t realize such a moment as wrapping all traffic so that it goes to the authorization page that will be on the server (it also acts as dhcp), the wealan is spinning on the enp4s0 interface, from another interface that looks in the direction of the provider, I was able to open a pass thanks to such commands.

echo "net.ipv4.ip_forward=1" » /etc/sysctl.con
iptables -t nat -A POSTROUTING -o enp2s0 -j ​​MASQUERADE

Thanks to what iptables rules can you wrap traffic so that unauthorized users leave the stub page to gain access to wifi.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
A
Alexey Golobokov, 2018-09-25
@korsamc

iptables:

*nat
-A PREROUTING -d 10.100.0.220/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 80 -m set ! --match-set mac-allowed src -j DNAT --to-destination 10.100.0.220

*filter
-A FORWARD -i vlan1+ -j macallowed
-A macallowed -d DNS-сервер -p udp -m udp --dport 53 -j ACCEPT
-A macallowed -m set --match-set mac-allowed src -j ACCEPT
-A macallowed -j DROP

ipset:
create mac-allowed hash:mac hashsize 1024 maxelem 65536
add mac-allowed A0:4E:A7:55:44:33

More or less like this.
In nat prerouting, traffic not from the ipset of allowed MAC addresses is wrapped to the host with the portal.
And on the portal, you need to specify the code 511 in the header so that the captive portal detection understands that this is a sandbox and
opens the window for additional actions to connect (although this is not accurate):
header('HTTP/1.1 511 Network Authentication Required', TRUE, 511);
header("Location: http://10.100.0.220/portal/index.php?step=1");

PS. You can do without ipset, but it's faster when there are a lot of records.

Report
M
mikes, 2018-09-25
@mikes

create a chain and throw everyone there
if in one L2 segment, then from the DST NAT user's poppy to the captive portal address, after successful authorization delete the user's poppy from the chain

Similar questions
N
Nikita Reshetnyak2019-10-07 07:26:25
Why can't you hear the interlocutor in the absence of a tunnel between offices? 2Reply
T
temakorolev12020-11-06 03:04:53
When the packages are installed, it displays that they are not there, because of what could this be? 2Reply
O
otoolov2020-11-06 13:56:35
How to redirect traffic depending on site in openwrt? 2Reply
S
Sergey2014-08-19 21:33:59
Nginx and gitlab installation? 3Reply
L
lukoie2014-08-19 22:40:28
How to install Debian LHDE or Rat? 4Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question