I'm managing a linux firewall, using shorewall, for internet access for a charity.

I sometimes need to find out who a specific computer belongs to. (most users have their own laptop)

I was thinking of using a hotspot style login page to get a list of users / mac addresses. Of the peg hotspot software, like chillispot, don't work for me as they want to much control and are overkill.

Was trying to set this up by giving out a different gateway for unknown users, then forward any web traffic using this gateway to my own webserver. From there I can build the rest with php / mysql.

Problem I am running into is that shorewall isn't playing nicely with virtual ethernet cards.

I need to forward all web traffic using eth1:0 as the gateway to the webserver running on eth1:0

This would be quite easy using an extra ethernet card, but am really trying to keep this to a virtual one

Any help on how to do this, or other ideas on how to accomplish the main idea of having someone give their name so that can be logged against their mac address before they can use the internet would be much appreciated.

Just solved the problem and thought I'd put the solution here in case it is being picked up by google.

Tried to solve this using REDIRECT, but needed to use DNAT.
Hadn't thought of that because DNAT is usually used to redirect traffic from outside to a server inside.

Also, didn't come up with a way of using the gateway and am now using an ip block instead.
Following is part of my /etc/shorewall/rules file:


REDIRECT loc:!10.0.3.15-10.0.3.35 8080 tcp 80 - !10.0.3.1,10.0.3.2
DNAT loc:10.0.3.15-10.0.3.35 loc:10.0.3.2:80 tcp 80 - !10.0.3.2


I am capturing all traffic on port 80 to go to the transparent proxy on port 8080, except for traffic going to the firewall itself
All traffic coming from a small portion of the available ip addresses on port 80 is being forwarded to the virtual interface on the firewall

10.0.3.2 is a virtual interface hanging on 10.0.3.1