Jump to content

Need help to create Captive Portals using IPtables rules on Ubuntu


Recommended Posts

Hi,

 

I am using this thread to create a captive portal: http://www.andybev.com/index.php/Using_iptables_and_PHP_to_create_a_captive_portal

 

I am running Ubuntu using VMWare on win 7 in unity mode which is all working cool, including networking. I have installed all packages to run apache2, php5, mysql and phpmyadmin and also other packages as listed in by andybev- (which are also working cool)

 

#  conntrack

# sudo

# psmisc

# PHP

# squid

 

The flat file used to store details of all registered users is /var/lib/users. Now I have to create the iptables rules, where I am having problem. Andybev just says the following iptables rules are required without elaborating "HOW TO CREATE THESE RULES"

 

Firewall rules required

 

The following iptables rules are needed in your firewall:

 

IPTABLES=/sbin/iptables

 

# Set the default policy to drop all forwarded packets

$IPTABLES -P FORWARD DROP

 

# Create internet chain

# This is used to authenticate users who have already signed up

$IPTABLES -N internet -t nat

 

 

# Accept all local traffic

$IPTABLES -t nat -A PREROUTING -i eth0 --destination 10.0.0.0/16 -j ACCEPT

 

# First send all traffic via newly created internet chain

# At the prerouting NAT stage this will DNAT them to the local

# webserver for them to signup if they aren't authorised

# Packets for unauthorised users are marked for dropping later

$IPTABLES -t nat -A PREROUTING -j internet

 

 

# Now that we've got to the forward filter, drop all packets

# marked 99 - these are unknown users. We can't drop them earlier

# as there's no filter table

$IPTABLES -t filter -A FORWARD -m mark --mark 99 -j DROP

 

###### INTERNET CHAIN ##########

# Allow authorised clients in, redirect all others to login webserver

# Add known users to the NAT table to stop their dest being rewritten

# Ignore MAC address with a * - these users are blocked

# This awk script goes through the /var/lib/users flat file line by line

awk 'BEGIN { FS="\t"; } { system("$IPTABLES -t nat -A internet -m mac --mac-source "$4" -j RETURN"); }' /var/lib/users

 

# MAC address not found. Mark the packet 99

$IPTABLES -t nat -A internet -j MARK --set-mark 99

# Redirects web requests from Unauthorised users to logon Web Page

$IPTABLES -t nat -A internet -m mark --mark 99 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.1

################################

 

 

# Enable Internet connection sharing

$IPTABLES -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i eth0 -o ppp0 -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

[/Quote]

 

I am not able to apply these rules. I tried to edit the iptables in /sbin/iptables but realised it is an executable program. I tried running this program on terminal and then execute each iptable rule as given by Andybev, line by line. But I highly doubt if it was meant to be done that way.

 

Please shed some light on iptables rules and fireball so that I can create the captive portal.

 

ps: This captive portal is meant for wired LAN computers. NOT WIFI.

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.