Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

document contains no data



First, the concept.  Hand out a fake gateway address to unregistered
computers.  Said gateway uses iptables rules to reject all traffic
except port 80.  Port 80 traffic gets DNAT'd to a host (same host as
fake gateway, in example below) which replies to port 80 traffic with a
redirect to the URL of a registration page.

I've done this, and it works perfectly.  As long as I'm running my
browser from linux.  When I switch to Windows, no matter whether I use
Mozilla or IE, it sometimes works, but sometimes doesn't.  The other odd
thing is, that if I do 'telnet gateway 80' in Windows, I get the
expected redirect HTTP/HTML text every time.  Another curiousity is that
when I run ethereal on the fake gateway machine, and watch all traffic
to/from the Windows box, I see the same pattern of traffic on successful
page loads as on failed page loads.

Any ideas why this might behave so erratically?

I've included the skeleton of the aforementioned scripts below:

______________
iptables setup

THISIP="10.0.0.1"
THISNET="10.0.0.0/8"
REGWEBIP="10.0.0.1"
REGWEBPORT="80"
PUB="eth0"
IPTABLES="/sbin/iptables"
echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -F
$IPTABLES -t nat -F

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

$IPTABLES -A OUTPUT --match state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT --match state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -t nat -A PREROUTING -i $PUB -p tcp --dport 80 -j DNAT --to-destination $REGWEBIP:$REGWEBPORT
$IPTABLES -t nat -A POSTROUTING -d $REGWEBIP -p tcp --dport $REGWEBPORT -s $THISNET -j SNAT --to-source $THISIP

$IPTABLES -A INPUT -d 127.0.0.1 -i lo -j ACCEPT
$IPTABLES -A INPUT -j REJECT --reject-with icmp-net-prohibited

____________________________
/etc/inetd.conf on $REGWEBIP

http stream tcp nowait nobody /usr/local/bin/redirect.pl testhost.domain

___________
redirect.pl

#!/usr/bin/perl
# thanks to Joe.Smith at MCI.com

$otherhost = @ARGV ? $ARGV[0] : "testhost.domain";
$message = <<EOM;
HTTP/1.0 302 redirect
Status: 302 Relocate status
Location: http://$otherhost/test/
Content-Type: text/html

<html>
<head>
<title>Off Campus Restricted</title>
</head>

<body>
<h1>Off Campus Restricted</h1>
<p>Your computer has not been registered.  You must complete the <a
href="http://$otherhost/test/";>registration process</a> before being
allowed off-campus access.</p>
</body>
</html>
EOM

$message =~ s/\n/\r\n/gm;       # Convert to netascii form, CR+LF
print $message;                 # Tell the browser to go away
exit;

-- 
Ron Peterson                   -o)
87 Taylor Street               /\\
Granby, MA  01033             _\_v
https://www.yellowbank.com/   ---- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.blu.org/pipermail/discuss/attachments/20030816/69c48acd/attachment.sig>



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org