Using linux as masq. server, how to force users to our intranet home

[sdave1284]

Ok here is a little background. We have about 400 people on our network and it is routed through a linux box to a DS3 connection. Before they are able to get online, they are required to register their computer and then a php script allows them access once they register their MAC address with us. Is there a way to force the users of our network to be redirected to our intranet registration page no matter what site they type in the address bar if they have not registered. This is so it makes it easy for people that forget they have to register. I know it can be done, because the university I go to does it for their wireless access where it will redirect you to a login page no matter what page you request. I just don't know if linux can do it. Thanks.

-Dave

 

[ericbrunson]

Depending on how many machines you're talking about it may be quite cumbersome to the NAT box, since you'll basically require a separate rule for every MAC address, then a default to forward the unknowns.

Create a NAT rule to redirect all unknows MAC addresses to the intranet web server. Have your php script dynamically insert a rule to the running NAT (iptables?) rules *before* the default rule allowing free access to port 80 and also add the MAC address to a file that is used at boot time to recreate your IPTables ruleset.

It's pretty straight forward, the details are left as an excercise to the student.

 

[sdave1284]

Okay, I kind of understand what you are saying. My php script already does this command when they register:

exec('sudo iptables -I eth0_mac -m mac --mac-source ' . $mac . ' -j RETURN');

Then I also store the MAC address to a file on the server so the chain can be inserted again if I restart the linux box. So I have all that setup.

I'm not real good at the commands, so what command would I need to put in to make it redirect the people that do not have the above chain inserted for their MAC address? Right now I just do not allow then to use any internet. They are only able to access the internal webserver and the internal DNS server so they can access the registration page. I just want to redirect to that page, either to the server's IP address or the DNS name. Thanks for your help.

Dave

 

[sdave1284]

One more thing, I need this to make it so that the chain that gets inserted each time the person registers does not require me to restart iptables, etc. There are constantly people registering so I can't have it bring down the internet connection. Thanks again.

Dave

 

[ericbrunson]

Something like this...

Take anything on my 192.168 trying to go to an http port and send it to a specific server...

iptables -t nat -A POSTROUTING -o eth+ -p tcp -s 192.168.0.0/16 \
     --destination-port 80 -j SNAT --to-source 192.168.0.6

 

[sdave1284]

I tried using this command:

iptables -t nat -A POSTROUTING -o eth+ -p tcp -s 10.10.0.0/16 \
--destination-port 80 -j SNAT --to-source 10.10.10.1

Where 10.10.0.0 is the LAN and 10.10.10.1 is the linux box that has the webserver running on it. It did not work. It just tries to access the website that the browser has asked for and then returns a DNS error since the MAC access list DROPs all packets trying to go outside the linux box.

 

[sdave1284]

oops change the eth+ to eth0 which is where the LAN connects to...