nut, is the hostname of a slackware-13.37 gateway box that has a static public ip assigned to eth0 and a static private ip assigned to eth1, and, to it's internal network, it provides dhcpd service, nat service on the same port range as the dhcpd, network time service (ntpd), and iptables filtering and traffic shaping... the latter is what I need help with.
iptables is controlled with the /etc/rc.d/rc.firewall script that I created using this
easy firewall generator
.
this is a tinkering gateway... it's at my tinkershop, and is by no means an enterprise or production environment... i'm just fiddling around trying to learn something... today i'm fiddling with captive portal
i know i can use ddwrt and nocat, radius, etc. to achieve wireless captive portal... but my wireless routers are in bridge mode, bridging to
the LAN that nut is a gateway for... and there is ethernet access to this LAN, and so I want my captive portal to capture (and free) wired and wireless clients...
i've found threads suggesting I use squid to do this too...
however, it seems to me like what I'm doing should work, yet it isn't, so I need to find out whether it can work and I should keep trying, or whether I should try the squid method...
Sorry to be so wordy, but hopefully nobody will tell me that they need more info to help me out...
So to create the captive portal, I configured BIND on this gateway, and configured it to always give gateway's own internal address as answers to all DNS queries... then I configured dhcpd to set client dns to the gateway... then I configured apache to serve a default page to everything, and the error page forwards to the default page. The result: a captive portal! Any client connected through dhcp gets the default page no matter what URL they type into their browser!
It is freeing this client that I have trouble with.
I have another BIND process running on a separate box on the LAN, configured to forward all queries to my ISP's real nameservers, and if I dig at that box I get correct dns responses!
I can use HTTP's environmental variables to get the ip address of visitor to captive portal page, and I can then lookup the mac address in the gateway's ARP table...
So armed with the mac address, I am trying to create iptables rules to forward all udp 53 (dns) requests that are addressed to the gateway to the other nameserver on the LAN that actually gives out real ip addresses.
Based on my understanding of
this iptables tutorial, I believe that I need to use the "-j DNAT" in the PREROUTING chain of the nat table, to change the destination address this udp 53 request to the address of the dns server on the LAN that I want to use...
the rule I added to the generated /etc/rc.d/rc.firewall script was added to the section near the end that said NAT PREROUTING... and it looks like this:
Code:
# given that
IPT="full path to iptables"
LOCAL_IFACE="eth1"
LOCAL_IP="ip address this gateway box"
NS1="local ip address of nameserver I want to use"
MAC="the mac address I looked up"
# then the line I inserted looked like this:
$IPT -t nat -A PREROUTING -p udp -i $LOCAL_IFACE -d $LOCAL_IP --dport 53 -m mac --mac-source $MAC -j DNAT --to-destination $NS1
So now that this packet has been given a new destination address, it should enter the FORWARD chain, so I created a rule in this chain as such:
Code:
$IPT -A FORWARD -p udp -i $LOCAL_IFACE --dport 53 -j ACCEPT
After /etc/rc.d/rc.firewall restart, something does happen: my request no longer reach the BIND running on the gateway... if, from a dhcp connected client, I use dig or nslookup to query this BIND, I get a "no servers could be reached" error... I was hoping that the request would be forwarded to the nameserver I am aiming at, and that it would answer correctly...
what have I missed?
