document contains no data

ron.peterson at yellowbank.com ron.peterson at yellowbank.com
Sat Aug 16 00:02:46 EDT 2003 

First, the concept.  Hand out a fake gateway address to unregistered
computers.  Said gateway uses iptables rules to reject all traffic
except port 80.  Port 80 traffic gets DNAT'd to a host (same host as
fake gateway, in example below) which replies to port 80 traffic with a
redirect to the URL of a registration page.

I've done this, and it works perfectly.  As long as I'm running my
browser from linux.  When I switch to Windows, no matter whether I use
Mozilla or IE, it sometimes works, but sometimes doesn't.  The other odd
thing is, that if I do 'telnet gateway 80' in Windows, I get the
expected redirect HTTP/HTML text every time.  Another curiousity is that
when I run ethereal on the fake gateway machine, and watch all traffic
to/from the Windows box, I see the same pattern of traffic on successful
page loads as on failed page loads.

Any ideas why this might behave so erratically?

I've included the skeleton of the aforementioned scripts below:

______________
iptables setup

THISIP="10.0.0.1"
THISNET="10.0.0.0/8"
REGWEBIP="10.0.0.1"
REGWEBPORT="80"
PUB="eth0"
IPTABLES="/sbin/iptables"
echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -F
$IPTABLES -t nat -F

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

$IPTABLES -A OUTPUT --match state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT --match state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -t nat -A PREROUTING -i $PUB -p tcp --dport 80 -j DNAT --to-destination $REGWEBIP:$REGWEBPORT
$IPTABLES -t nat -A POSTROUTING -d $REGWEBIP -p tcp --dport $REGWEBPORT -s $THISNET -j SNAT --to-source $THISIP

$IPTABLES -A INPUT -d 127.0.0.1 -i lo -j ACCEPT
$IPTABLES -A INPUT -j REJECT --reject-with icmp-net-prohibited

____________________________
/etc/inetd.conf on $REGWEBIP

http stream tcp nowait nobody /usr/local/bin/redirect.pl testhost.domain

___________
redirect.pl

#!/usr/bin/perl
# thanks to Joe.Smith at MCI.com

$otherhost = @ARGV ? $ARGV[0] : "testhost.domain";
$message = <<EOM;
HTTP/1.0 302 redirect
Status: 302 Relocate status
Location: http://$otherhost/test/
Content-Type: text/html

<html>
<head>
<title>Off Campus Restricted</title>
</head>

<body>
<h1>Off Campus Restricted</h1>
<p>Your computer has not been registered.  You must complete the <a
href="http://$otherhost/test/">registration process</a> before being
allowed off-campus access.</p>
</body>
</html>
EOM

$message =~ s/\n/\r\n/gm;       # Convert to netascii form, CR+LF
print $message;                 # Tell the browser to go away
exit;

-- 
Ron Peterson                   -o)
87 Taylor Street               /\\
Granby, MA  01033             _\_v
https://www.yellowbank.com/   ---- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.blu.org/pipermail/discuss/attachments/20030816/69c48acd/attachment.sig>

More information about the Discuss mailing list