User Tools

Site Tools


using_iptables_and_php_to_create_a_captive_portal

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
using_iptables_and_php_to_create_a_captive_portal [2018/12/06 19:48]
abeverley
using_iptables_and_php_to_create_a_captive_portal [2018/12/06 19:59]
abeverley
Line 1: Line 1:
 =====Using iptables and PHP to create a captive portal===== =====Using iptables and PHP to create a captive portal=====
 +
 +|Unfortunately I have had to lock this page, due to the amount of spam it received. If you would like to make a contribution,​ please email me, andy@andybev.com|
  
 There are various captive portal software packages available (both free and open source) that will allow you to setup an internet access facility that people have to logon to first. None of the packages I tried did what I wanted and they were not particularly customisable. Therefore I created my own, using a few iptables rules and PHP (along with a handful of other standard packages). This page details the steps that were taken. The key to this method as opposed to other iptables based solutions is that tracking information is removed after the user has signed up. Failure to do this will sometimes cause the user to still be redirected to your logon page even after they have signed up. There are various captive portal software packages available (both free and open source) that will allow you to setup an internet access facility that people have to logon to first. None of the packages I tried did what I wanted and they were not particularly customisable. Therefore I created my own, using a few iptables rules and PHP (along with a handful of other standard packages). This page details the steps that were taken. The key to this method as opposed to other iptables based solutions is that tracking information is removed after the user has signed up. Failure to do this will sometimes cause the user to still be redirected to your logon page even after they have signed up.
  
 +===== Software required =====
  
- +Any recent Linux distribution should be able to be used for these scripts. The example shown [[Setting_up_a_captive_portal_from_scratch_using_Debian|here]] uses Debian.
-==Software required== +
-Any recent Linux distribution should be able to be used for these scripts. The example shown [[Setting up a captive portal from scratch using Debian|here]] uses Debian.+
  
 The following packages need to be installed: The following packages need to be installed:
-* conntrack 
-* sudo 
-* psmisc 
-* PHP 
-* squid (if you want web caching) 
  
-With Debian, all of the above can be installed with apt-get install <​package>​.+  * conntrack 
 +  * sudo 
 +  * psmisc 
 +  * PHP 
 +  * squid (if you want web caching) 
 + 
 +With Debian, all of the above can be installed with apt-get install ​<​html>​<package></​html>.
  
 There are also other custom scripts, all of which are described below There are also other custom scripts, all of which are described below
  
-==Principle of operation==+===== Principle of operation ===== 
 This page assumes that a single server is used on a network of clients to act as a router to the internet. The server should be setup as normal to share a single internet connection (the scripts below include the required firewall rules). On the server a number of iptables firewall rules are used to block a client accessing the internet until they have registered. Registration is carried out by a user browsing to any website, after which they are redirected to a signup webpage (served using Apache and PHP on the server). Once the user has completed the signup form, the client is allowed unrestricted access to the internet. This page assumes that a single server is used on a network of clients to act as a router to the internet. The server should be setup as normal to share a single internet connection (the scripts below include the required firewall rules). On the server a number of iptables firewall rules are used to block a client accessing the internet until they have registered. Registration is carried out by a user browsing to any website, after which they are redirected to a signup webpage (served using Apache and PHP on the server). Once the user has completed the signup form, the client is allowed unrestricted access to the internet.
- 
  
 Firewall rules are configured to: Firewall rules are configured to:
-* MARK any traffic from an unrecognised client with the number 99 + 
-* DROP any traffic marked 99 +  ​* MARK any traffic from an unrecognised client with the number 99 
-* Redirect to the localhost any traffic for port 80 that is MARKed 99+  * DROP any traffic marked 99 
 +  * Redirect to the localhost any traffic for port 80 that is MARKed 99 
 The localhost contains PHP scripts that add firewall rules 'on the fly' as people sign up on the webpage. These rules stop the client'​s traffic being MARKed 99. In addition, all registered PCs have their MAC address written to a file that is used on reboot to re-enable those clients. The localhost contains PHP scripts that add firewall rules 'on the fly' as people sign up on the webpage. These rules stop the client'​s traffic being MARKed 99. In addition, all registered PCs have their MAC address written to a file that is used on reboot to re-enable those clients.
  
-==The users files==+===== The users files ===== 
 In this example a flat file is used to store all the details of users already registered (/​var/​lib/​users). Depending on your Apache setup, you may need to locate the file in the Apache root directory. It is in the following format: In this example a flat file is used to store all the details of users already registered (/​var/​lib/​users). Depending on your Apache setup, you may need to locate the file in the Apache root directory. It is in the following format:
  
-Name  <​tab> ​ Email  <​tab> ​ Client IP  <​tab> ​ Client MAC  <​tab> ​ Date+Name <​html>​<tab></​html> ​Email <​html>​<tab></​html> ​Client IP <​html>​<tab></​html> ​Client MAC <​html>​<tab></​html> ​Date
  
-==Firewall rules required== +===== Firewall rules required ​===== 
-<​strong>​By andy@andybev.com (Apr 2011) - I have just updated these rules again, this time to move the MARKing into the mangle table and keep the DNAT in the nat table. I have not tested them yet though; please let me know if there are any problems.</​strong>​+ 
 +<​html>​<strong></​html>By andy@andybev.com (Apr 2011) - I have just updated these rules again, this time to move the MARKing into the mangle table and keep the DNAT in the nat table. I have not tested them yet though; please let me know if there are any problems.<​html>​</strong></​html>
  
 The following iptables rules are needed in your firewall. Add them to your system'​s firewall scripts, or alternatively put them in their own file, make it executable, and force it to run at system startup. The following iptables rules are needed in your firewall. Add them to your system'​s firewall scripts, or alternatively put them in their own file, make it executable, and force it to run at system startup.
  
-<​code><​pre>+<​html>​<​code><​/html> 
 IPTABLES=/​sbin/​iptables IPTABLES=/​sbin/​iptables
  
Line 81: Line 88:
 $IPTABLES -A FORWARD -i eth0 -o ppp0 -j ACCEPT $IPTABLES -A FORWARD -i eth0 -o ppp0 -j ACCEPT
 $IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
-</​pre></​code>​ 
  
-==Setting up rmtrack==+<​html></​code></​html>​ 
 + 
 +===== Setting up rmtrack ===== 
 rmtrack is a one line script to remove connection track information about a client. If this script is not present then when the redirect is done on the completion of a user signing up, they may still not be able to access the page they were looking for. For example, if they go to www.google.com,​ they will first be redirected to the signup page on the local webserver. When the signup page redirects them back to Google, if the tracking information has not been cleared then they may end up back at the signup page, even though they'​ve already signed up. rmtrack is a one line script to remove connection track information about a client. If this script is not present then when the redirect is done on the completion of a user signing up, they may still not be able to access the page they were looking for. For example, if they go to www.google.com,​ they will first be redirected to the signup page on the local webserver. When the signup page redirects them back to Google, if the tracking information has not been cleared then they may end up back at the signup page, even though they'​ve already signed up.
  
 Create the file /​usr/​bin/​rmtrack and make it executable with the following contents: Create the file /​usr/​bin/​rmtrack and make it executable with the following contents:
  
-<​code><​pre>+<​html>​<​code><​/html> 
 /​usr/​sbin/​conntrack -L \ /​usr/​sbin/​conntrack -L \
     |grep $1 \     |grep $1 \
Line 97: Line 107:
             substr(\$6,​5) \" -p tcp --orig-port-src \" substr(\$7,​7) \" \             substr(\$6,​5) \" -p tcp --orig-port-src \" substr(\$7,​7) \" \
             --orig-port-dst 80\"); }"             --orig-port-dst 80\"); }"
-</pre></​code>​+<html></​code></​html>
  
 Note: the single command has been split over several lines Note: the single command has been split over several lines
  
-==Configuring sudo==+===== Configuring sudo ===== 
 Sudo needs to be configured to allow the apache web server to issue certain iptables commands in order to allow clients to access the internet after they have signed up. Use visudo to add the following commands to the sudoers file: Sudo needs to be configured to allow the apache web server to issue certain iptables commands in order to allow clients to access the internet after they have signed up. Use visudo to add the following commands to the sudoers file:
  
-<​code><​pre>+<​html>​<​code><​/html> 
 www-data ALL = NOPASSWD: /​sbin/​iptables -I internet 1 -t mangle -m mac --mac-source ??​\:??​\:??​\:??​\:??​\:??​ -j RETURN www-data ALL = NOPASSWD: /​sbin/​iptables -I internet 1 -t mangle -m mac --mac-source ??​\:??​\:??​\:??​\:??​\:??​ -j RETURN
 www-data ALL = NOPASSWD: /​sbin/​iptables -D internet -t mangle -m mac --mac-source ??​\:??​\:??​\:??​\:??​\:??​ -j RETURN www-data ALL = NOPASSWD: /​sbin/​iptables -D internet -t mangle -m mac --mac-source ??​\:??​\:??​\:??​\:??​\:??​ -j RETURN
 www-data ALL = NOPASSWD: /​usr/​bin/​rmtrack [0-9]*.[0-9]*.[0-9]*.[0-9]* www-data ALL = NOPASSWD: /​usr/​bin/​rmtrack [0-9]*.[0-9]*.[0-9]*.[0-9]*
-</pre></​code>​+<html></​code>​</​html>​ 
 + 
 +<​html><​strong></​html>​Note:<​html></​strong></​html>​ Sudo does not use regular expressions,​ so the final rule is not as preferable as it should be.
  
-<​strong>​Note:</​strong>​ Sudo does not use regular expressions,​ so the final rule is not as preferable as it should be.+===== PHP script =====
  
-==PHP script== 
 One PHP script is described here. This is the main index.php script that the user sees when they initially try and access the internet and are redirected. This example script just asks for a user's name and email address, saves them to a file for future reference, and alters iptables rules to allow them access to the internet. The scripts can be edited as required. The example set of scripts at the following link force the user to accept an Acceptable User Policy and also have a facility to block users. http://​files.andybev.com/​web-portal/​web-portal.tar.gz One PHP script is described here. This is the main index.php script that the user sees when they initially try and access the internet and are redirected. This example script just asks for a user's name and email address, saves them to a file for future reference, and alters iptables rules to allow them access to the internet. The scripts can be edited as required. The example set of scripts at the following link force the user to accept an Acceptable User Policy and also have a facility to block users. http://​files.andybev.com/​web-portal/​web-portal.tar.gz
  
-{| style="​background-color:#​ffffcc;"​ cellpadding="​10"​ cellspacing="​0"​ border="​1"​ width="​100%"​ +|For an example of how to retain a user's URL, have a look at the discussion page| 
-|For an example of how to retain a user's URL, have a look at the discussion page + 
-|}+<​html><​code></​html>​
  
-<​code><​pre>​ 
 <?php <?php
  
Line 209: Line 221:
  
 ?> ?>
-</pre></​code>​+<html></​code>​</​html>​ 
 + 
 +===== In use =====
  
-==In use== 
 Once the firewall has been enabled on the server and the rest of the scripts setup, any client trying to browse to the internet will be presented with a web page to signup. Once they have entered their details, an additional iptables rule will be created which will allow them full access to the internet. Once the firewall has been enabled on the server and the rest of the scripts setup, any client trying to browse to the internet will be presented with a web page to signup. Once they have entered their details, an additional iptables rule will be created which will allow them full access to the internet.
  
using_iptables_and_php_to_create_a_captive_portal.txt · Last modified: 2018/12/06 21:51 by abeverley