Wireless Login Page

Wireless Login Page

[Kirk Wallace]

I have a wireless card installed on Fedora 4 system. I have the wireless
connection open, DHCP enabled and have disabled forwarding for the
"open" network. I use Poptop and Radius to authenticate and assign IP
addresses on the tunnel and then allow forwarding for the tunnel address
range. I now want to have all http requests from the "open" network to
be directed to a opening/login page on the wireless server. Can this be
done with iptables (conntrack?)? Would anyone suggest links or keywords
for finding more information? Thank you.

Kirk

Re: Wireless Login Page

[Alex]

You don't need contrack for the redirection part. I've achived the same 
thing on my router using -j REDIRECT

You could do it for only port 80 trafic, but I've done it for all traffic. 
You get some entertaining attempts from people trying to work out why they 
have a valid DHCP lease but now internet conductivity.

----- Original Message ----- 
From: "Kirk Wallace" <kwallace@wallacecompany.com>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, April 26, 2007 5:48 PM
Subject: Wireless Login Page


>I have a wireless card installed on Fedora 4 system. I have the wireless
> connection open, DHCP enabled and have disabled forwarding for the
> "open" network. I use Poptop and Radius to authenticate and assign IP
> addresses on the tunnel and then allow forwarding for the tunnel address
> range. I now want to have all http requests from the "open" network to
> be directed to a opening/login page on the wireless server. Can this be
> done with iptables (conntrack?)? Would anyone suggest links or keywords
> for finding more information? Thank you.
>
> Kirk
>
>
> 

Re: Wireless Login Page

[Jan Engelhardt]

On Apr 27 2007 12:41, Alex wrote:
>
> You don't need contrack for the redirection part. I've achived the same thing
> on my router using -j REDIRECT

REDIRECT does use connection tracking (by means of a NAT mapping).


Jan
-- 

Re: Wireless Login Page

[Alex]

TBH this site can explain -j REDIRECT better than I could.
http://security.maruhn.com/iptables-tutorial/x10065.html

Is the machine thats doing the NATing the same as the one with the httpd? 
This has to be the case for redirect to work as you require it. Other wise, 
maybe you could use squid to proxy?

----- Original Message ----- 
From: "Kirk Wallace" <kwallace@wallacecompany.com>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, April 26, 2007 5:48 PM
Subject: Wireless Login Page


>I have a wireless card installed on Fedora 4 system. I have the wireless
> connection open, DHCP enabled and have disabled forwarding for the
> "open" network. I use Poptop and Radius to authenticate and assign IP
> addresses on the tunnel and then allow forwarding for the tunnel address
> range. I now want to have all http requests from the "open" network to
> be directed to a opening/login page on the wireless server. Can this be
> done with iptables (conntrack?)? Would anyone suggest links or keywords
> for finding more information? Thank you.
>
> Kirk
>
>
> 

RE: Wireless Login Page

[Brent Wilkinson]

Sorry just noticed this. From what it sounds like you are describing a
captive portal. I have setup a few systems that do this.

Basically how it works is you let them get a ip address from the dhcp
server. Once they have this ip address they then open up a website. What the
captive portal does is redirects the http packets to your server (your
firewall needs to also rewrite to header ip address they are requesting so
your web server likes it).

I would be happy to forward a working rc.firewall file with it already
presetup. The ones I have allow a person to visit certain pages like my web
page and the hotels webpage but don't allow them to visit anything else. 

Now if you want to get more complicated like charging them for a certain
amount of time and then after that time expires you need to use ap's that
support radius and use a radius server for timing or use what's called
NoCat.

Thanks
Brent
Air2Data.com

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Kirk Wallace
Sent: Friday, May 04, 2007 1:35 PM
To: netfilter@lists.netfilter.org
Subject: Re: Wireless Login Page

On Wed, 2007-05-02 at 19:18 +0200, Michelle Konzack wrote:
> Hello Kirk and *,
> 
> Am 2007-04-28 11:43:27, schrieb Kirk Wallace:
> > I was using 192.168.21.2 just to test whether httpd would respond to
any
> > IP address sent on the 192.168.21.0/24 address space. 
> > 
> > I envision that a person would boot their wireless laptop and scan
for
> > hotspots. They would see my hotspot and connect. Then my DHCP server
> > would give the laptop an IP address, subnet mask, gateway address,
DNS1
> > and DNS2. Then the user would start firefox and try to open a link
to
> > anywhere.com, but I have FORWARD denied to all but logged in users
> > (which have a tunnel IP address on another subnet). At this point, I
> > want the anywhere.com request to invoke the httpd on the wireless
router
> > to reply with a login page. Currently dhcpd, httpd, radiusd and
pptpd
> > are on the same PC.
> 
> This is exactly what I want to do to.
> 
> But if the $CLIENT has gotten its DHCP-IP-Addressm then ANY
> connections (any Ports except DNS and DHCP) nust be blocked
> until the user has once started a Webbrowser and authentificated.

If the above comment relates to restricting the wireless client's access
to providing only a login, I do that by setting the policy for INPUT and
OUTPUT to ACCEPT, then FORWARD to DROP. Then I add a rule to FORWARD to
allow forwarding of the tunnel traffic. Users cannot get to the Internet
with out first logging in and being assigned a tunnel IP address. The
wireless clients have access to all the open ports running locally on
the wireless router.

> I was thinking, that if the $USER open a connection plus auth,
> the connection will be droped for example 5 minutes after the
> last traffic going over the Interface with the specified MAC/IP.

Currently, I allow my clients a full time connection. In fact I have set
them all up with an OpenWRT router with pptpd and a five minute ping
from cron to keep the connection alive. I use the ifconfig data to
record the tunnel traffic (ppp0, ppp1, ...) then cross reference this
with the Radius data in order to bill based on a user's data volume.

> I have not found any examples ho to do this.
> 
> Would you like to share your config?
> 
> And speciay how you have setup your "fist-connect" page to auth?

Well, that's my problem, I don't have an authorization page yet.
Currently, I have to pre-configure a client's router or PC to log in
using pptp. I would like to have a client cruise for hotspots and if
they find mine, then be able to connect themselves.

My first goal is to just figure out how to get an opening page on a
person's screen, after they have found my hotspot. After selecting my
ssid, I am assuming that the client would have their PC setup to get the
connection settings from DHCP. Then I am assuming that they would
recognize that they have a valid connection and try to browse the
Internet. A this point, I want the wireless router to detect the http
request and reply to that request with my opening page instead. The more
I am learning about this, the more I think that iptables is just part of
the solution, but I don't know yet know enough to realize what I need to
know.

Below is my iptables related configuration so far.
~~~~~~~~~~
root@ls:~# cat /etc/rc.d/rc.local
#!/bin/sh
#
# /etc/rc.d/rc.local:  Local system initialization script.
#
# Put any local setup commands in here:

# Fix iwconfig mode problem called from rc.wireless 20060927 KW
/usr/bin/wlanconfig ath0 destroy
/usr/bin/wlanconfig ath0 create wlandev wifi0 wlanmode Master

# rc.wireless seems to have a problem with essid and channel too
20060927 KW
/sbin/iwconfig ath0 essid walco04 channel 10

# Todo - make these autoload as normal rc files do
/etc/rc.d/rc.wlvpn_iptab
/etc/rc.d/rc.pptpd
/etc/rc.d/rc.radiusd
/etc/rc.d/rc.dhcpd

~~~~~~~~~~~~~~~

root@ls:~# cat /etc/rc.d/rc.wlvpn_iptab
#!/bin/sh
#
# wlvpn_iptab.sh - 20060926 KW
# Set IP tables to foward only wireless VPN traffic

wlvpn_iptab_start() {
/usr/sbin/iptables -F
/usr/sbin/iptables -t nat -F

/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -P FORWARD DROP

/usr/sbin/iptables -A INPUT -s 0/0 -d 0/0 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -s 0/0 -d 0/0 -j ACCEPT

/usr/sbin/iptables --table nat --append POSTROUTING \
      --out-interface eth0 --jump SNAT --to-source 192.168.12.7
/usr/sbin/iptables -A FORWARD -s 192.168.123.0/24 -d 0/0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -s 0/0 -d 192.168.123.0/24 -j ACCEPT
}

# Stop VPN forwarding:
wlvpn_iptab_stop() {
/usr/sbin/iptables -F
/usr/sbin/iptables -t nat -F

/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT

/usr/sbin/iptables -A INPUT -s 0/0 -d 0/0 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -s 0/0 -d 0/0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -s 0/0 -d 0/0 -j ACCEPT

}

# Restart IP packet forwarding:
wlvpn_iptab_restart() {
  wlvpn_iptab_stop
  sleep 1
  wlvpn_iptab_start
}

case "$1" in
'start')
  wlvpn_iptab_start
  ;;
'stop')
  wlvpn_iptab_stop
  ;;
'restart')
  wlvpn_iptab_restart
  ;;
*)
 # Default is "start", for backwards compatibility with previous
 # Slackware versions. This may change to a 'usage' error someday.
 wlvpn_iptab_start
esac

> Greetings
>     Michelle Konzack
>     Systemadministrator
>     Tamay Dogan Network
>     Debian GNU/Linux Consultant
> 
> 

Re: Wireless Login Page

[Kirk Wallace]

On Wed, 2007-05-02 at 19:18 +0200, Michelle Konzack wrote:
> Hello Kirk and *,
> 
> Am 2007-04-28 11:43:27, schrieb Kirk Wallace:
> > I was using 192.168.21.2 just to test whether httpd would respond to
any
> > IP address sent on the 192.168.21.0/24 address space. 
> > 
> > I envision that a person would boot their wireless laptop and scan
for
> > hotspots. They would see my hotspot and connect. Then my DHCP server
> > would give the laptop an IP address, subnet mask, gateway address,
DNS1
> > and DNS2. Then the user would start firefox and try to open a link
to
> > anywhere.com, but I have FORWARD denied to all but logged in users
> > (which have a tunnel IP address on another subnet). At this point, I
> > want the anywhere.com request to invoke the httpd on the wireless
router
> > to reply with a login page. Currently dhcpd, httpd, radiusd and
pptpd
> > are on the same PC.
> 
> This is exactly what I want to do to.
> 
> But if the $CLIENT has gotten its DHCP-IP-Addressm then ANY
> connections (any Ports except DNS and DHCP) nust be blocked
> until the user has once started a Webbrowser and authentificated.

If the above comment relates to restricting the wireless client's access
to providing only a login, I do that by setting the policy for INPUT and
OUTPUT to ACCEPT, then FORWARD to DROP. Then I add a rule to FORWARD to
allow forwarding of the tunnel traffic. Users cannot get to the Internet
with out first logging in and being assigned a tunnel IP address. The
wireless clients have access to all the open ports running locally on
the wireless router.

> I was thinking, that if the $USER open a connection plus auth,
> the connection will be droped for example 5 minutes after the
> last traffic going over the Interface with the specified MAC/IP.

Currently, I allow my clients a full time connection. In fact I have set
them all up with an OpenWRT router with pptpd and a five minute ping
from cron to keep the connection alive. I use the ifconfig data to
record the tunnel traffic (ppp0, ppp1, ...) then cross reference this
with the Radius data in order to bill based on a user's data volume.

> I have not found any examples ho to do this.
> 
> Would you like to share your config?
> 
> And speciay how you have setup your "fist-connect" page to auth?

Well, that's my problem, I don't have an authorization page yet.
Currently, I have to pre-configure a client's router or PC to log in
using pptp. I would like to have a client cruise for hotspots and if
they find mine, then be able to connect themselves.

My first goal is to just figure out how to get an opening page on a
person's screen, after they have found my hotspot. After selecting my
ssid, I am assuming that the client would have their PC setup to get the
connection settings from DHCP. Then I am assuming that they would
recognize that they have a valid connection and try to browse the
Internet. A this point, I want the wireless router to detect the http
request and reply to that request with my opening page instead. The more
I am learning about this, the more I think that iptables is just part of
the solution, but I don't know yet know enough to realize what I need to
know.

Below is my iptables related configuration so far.
~~~~~~~~~~
root@ls:~# cat /etc/rc.d/rc.local
#!/bin/sh
#
# /etc/rc.d/rc.local:  Local system initialization script.
#
# Put any local setup commands in here:

# Fix iwconfig mode problem called from rc.wireless 20060927 KW
/usr/bin/wlanconfig ath0 destroy
/usr/bin/wlanconfig ath0 create wlandev wifi0 wlanmode Master

# rc.wireless seems to have a problem with essid and channel too
20060927 KW
/sbin/iwconfig ath0 essid walco04 channel 10

# Todo - make these autoload as normal rc files do
/etc/rc.d/rc.wlvpn_iptab
/etc/rc.d/rc.pptpd
/etc/rc.d/rc.radiusd
/etc/rc.d/rc.dhcpd

~~~~~~~~~~~~~~~

root@ls:~# cat /etc/rc.d/rc.wlvpn_iptab
#!/bin/sh
#
# wlvpn_iptab.sh - 20060926 KW
# Set IP tables to foward only wireless VPN traffic

wlvpn_iptab_start() {
/usr/sbin/iptables -F
/usr/sbin/iptables -t nat -F

/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -P FORWARD DROP

/usr/sbin/iptables -A INPUT -s 0/0 -d 0/0 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -s 0/0 -d 0/0 -j ACCEPT

/usr/sbin/iptables --table nat --append POSTROUTING \
      --out-interface eth0 --jump SNAT --to-source 192.168.12.7
/usr/sbin/iptables -A FORWARD -s 192.168.123.0/24 -d 0/0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -s 0/0 -d 192.168.123.0/24 -j ACCEPT
}

# Stop VPN forwarding:
wlvpn_iptab_stop() {
/usr/sbin/iptables -F
/usr/sbin/iptables -t nat -F

/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT

/usr/sbin/iptables -A INPUT -s 0/0 -d 0/0 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -s 0/0 -d 0/0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -s 0/0 -d 0/0 -j ACCEPT

}

# Restart IP packet forwarding:
wlvpn_iptab_restart() {
  wlvpn_iptab_stop
  sleep 1
  wlvpn_iptab_start
}

case "$1" in
'start')
  wlvpn_iptab_start
  ;;
'stop')
  wlvpn_iptab_stop
  ;;
'restart')
  wlvpn_iptab_restart
  ;;
*)
 # Default is "start", for backwards compatibility with previous
 # Slackware versions. This may change to a 'usage' error someday.
 wlvpn_iptab_start
esac

> Greetings
>     Michelle Konzack
>     Systemadministrator
>     Tamay Dogan Network
>     Debian GNU/Linux Consultant
> 
> 

Re: Wireless Login Page

[Michelle Konzack]

[-- Attachment #1: Type: text/plain, Size: 1858 bytes --]

Hello Kirk and *,

Am 2007-04-28 11:43:27, schrieb Kirk Wallace:
> I was using 192.168.21.2 just to test whether httpd would respond to any
> IP address sent on the 192.168.21.0/24 address space. 
> 
> I envision that a person would boot their wireless laptop and scan for
> hotspots. They would see my hotspot and connect. Then my DHCP server
> would give the laptop an IP address, subnet mask, gateway address, DNS1
> and DNS2. Then the user would start firefox and try to open a link to
> anywhere.com, but I have FORWARD denied to all but logged in users
> (which have a tunnel IP address on another subnet). At this point, I
> want the anywhere.com request to invoke the httpd on the wireless router
> to reply with a login page. Currently dhcpd, httpd, radiusd and pptpd
> are on the same PC.

This is exactly what I want to do to.

But if the $CLIENT has gotten its DHCP-IP-Addressm then ANY
connections (any Ports except DNS and DHCP) nust be blocked
until the user has once started a Webbrowser and authentificated.

I was thinking, that if the $USER open a connection plus auth,
the connection will be droped for example 5 minutes after the
last traffic going over the Interface with the specified MAC/IP.

I have not found any examples ho to do this.

Would you like to share your config?

And speciay how you have setup your "fist-connect" page to auth?

Greetings
    Michelle Konzack
    Systemadministrator
    Tamay Dogan Network
    Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack   Apt. 917                  ICQ #328449886
                   50, rue de Soultz         MSN LinuxMichi
0033/6/61925193    67100 Strasbourg/France   IRC #Debian (irc.icq.com)

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Wireless Login Page

[Kirk Wallace]

On Sat, 2007-04-28 at 19:45 +0200, Daniel Lopes wrote:
> Kirk Wallace schrieb:
> > (This may be a duplicate message, KW)
> > 
> > Thank you for the replies Alex and Jan.
> > 
> > I set up a test system with two PC's. PC one has Apache httpd running on
> > it with iptables flushed, defaults set to accept all packets and is at
> > 192.168.21.1 . PC two is simply a workstation at 192.168.21.10 . I can
> > get my default webpage by pointing the workstation's browser to
> > 192.168.21.1 . I invoked "iptables -t nat -A PREROUTING -p TCP --dport
> > 80 -j REDIRECT" on the http host. At this point I was expecting to point
> > the workstation's browser to 192.168.21.2 and get the default webpage,
> > but this returned "Unable to Connect".
> > 
> 
> Hi,
> 
> I don't really understand what you are trying. When your browser 
> connects to 192.168.21.2 and there is no webserver running it will not 
> be able to connect logically. Do you want to redirect traffic destined 
> to 192.168.21.1 to 192.168.21.2 then -j DNAT --to-destination 
> 192.168.21.2 is your friend not -j REDIRECT. This will redirect all 
> traffic to the local machine.

On Sat, 2007-04-28 at 18:32 +0100, Alex wrote: 
> TBH this site can explain -j REDIRECT better than I could.
> http://security.maruhn.com/iptables-tutorial/x10065.html
> 
> Is the machine thats doing the NATing the same as the one with the httpd? 
> This has to be the case for redirect to work as you require it. Other wise, 
> maybe you could use squid to proxy?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I was using 192.168.21.2 just to test whether httpd would respond to any
IP address sent on the 192.168.21.0/24 address space. 

I envision that a person would boot their wireless laptop and scan for
hotspots. They would see my hotspot and connect. Then my DHCP server
would give the laptop an IP address, subnet mask, gateway address, DNS1
and DNS2. Then the user would start firefox and try to open a link to
anywhere.com, but I have FORWARD denied to all but logged in users
(which have a tunnel IP address on another subnet). At this point, I
want the anywhere.com request to invoke the httpd on the wireless router
to reply with a login page. Currently dhcpd, httpd, radiusd and pptpd
are on the same PC.

I was looking at Chillispot to do this but it doesn't have some of the
features I want, and I could not find documentation that would allow me
to figure out how it works. I want an application that does just what it
needs to do, that I can understand and modify as my needs change.

I have used REDIRECT to allow a pcAnywhere connection to an internal PC
from the Internet, and I still get a kick that it works, but I was able
to get it to work without fully understanding how it works. (Does that
make me a script kiddie?)

Basic List question: 

I am used to reading a message from a list, then clicking the reply
button, typing a reply and clicking send, which sends the reply back to
the list. It seems here, that I need to cut and paste the message
history and reply to a new message addressed to the list address. Is
this the proper way to use this list?

Kirk