Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
First, the concept. Hand out a fake gateway address to unregistered computers. Said gateway uses iptables rules to reject all traffic except port 80. Port 80 traffic gets DNAT'd to a host (same host as fake gateway, in example below) which replies to port 80 traffic with a redirect to the URL of a registration page. I've done this, and it works perfectly. As long as I'm running my browser from linux. When I switch to Windows, no matter whether I use Mozilla or IE, it sometimes works, but sometimes doesn't. The other odd thing is, that if I do 'telnet gateway 80' in Windows, I get the expected redirect HTTP/HTML text every time. Another curiousity is that when I run ethereal on the fake gateway machine, and watch all traffic to/from the Windows box, I see the same pattern of traffic on successful page loads as on failed page loads. Any ideas why this might behave so erratically? I've included the skeleton of the aforementioned scripts below: ______________ iptables setup THISIP="10.0.0.1" THISNET="10.0.0.0/8" REGWEBIP="10.0.0.1" REGWEBPORT="80" PUB="eth0" IPTABLES="/sbin/iptables" echo "1" > /proc/sys/net/ipv4/ip_forward $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -A OUTPUT --match state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT --match state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $PUB -p tcp --dport 80 -j DNAT --to-destination $REGWEBIP:$REGWEBPORT $IPTABLES -t nat -A POSTROUTING -d $REGWEBIP -p tcp --dport $REGWEBPORT -s $THISNET -j SNAT --to-source $THISIP $IPTABLES -A INPUT -d 127.0.0.1 -i lo -j ACCEPT $IPTABLES -A INPUT -j REJECT --reject-with icmp-net-prohibited ____________________________ /etc/inetd.conf on $REGWEBIP http stream tcp nowait nobody /usr/local/bin/redirect.pl testhost.domain ___________ redirect.pl #!/usr/bin/perl # thanks to Joe.Smith at MCI.com $otherhost = @ARGV ? $ARGV[0] : "testhost.domain"; $message = <<EOM; HTTP/1.0 302 redirect Status: 302 Relocate status Location: http://$otherhost/test/ Content-Type: text/html <html> <head> <title>Off Campus Restricted</title> </head> <body> <h1>Off Campus Restricted</h1> <p>Your computer has not been registered. You must complete the <a href="http://$otherhost/test/">registration process</a> before being allowed off-campus access.</p> </body> </html> EOM $message =~ s/\n/\r\n/gm; # Convert to netascii form, CR+LF print $message; # Tell the browser to go away exit; -- Ron Peterson -o) 87 Taylor Street /\\ Granby, MA 01033 _\_v https://www.yellowbank.com/ ---- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available URL: <http://lists.blu.org/pipermail/discuss/attachments/20030816/69c48acd/attachment.sig>
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |