This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
using_iptables_and_php_to_create_a_captive_portal [2018/12/06 19:58] abeverley |
using_iptables_and_php_to_create_a_captive_portal [2018/12/06 21:51] abeverley |
||
---|---|---|---|
Line 37: | Line 37: | ||
In this example a flat file is used to store all the details of users already registered (/var/lib/users). Depending on your Apache setup, you may need to locate the file in the Apache root directory. It is in the following format: | In this example a flat file is used to store all the details of users already registered (/var/lib/users). Depending on your Apache setup, you may need to locate the file in the Apache root directory. It is in the following format: | ||
- | Name <html><tab></html> Email <html><tab></html> Client IP <html><tab></html> Client MAC <html><tab></html> Date | + | Name Email Client IP Client MAC Date |
===== Firewall rules required ===== | ===== Firewall rules required ===== | ||
- | <html><strong></html>By andy@andybev.com (Apr 2011) - I have just updated these rules again, this time to move the MARKing into the mangle table and keep the DNAT in the nat table. I have not tested them yet though; please let me know if there are any problems.<html></strong></html> | + | By andy@andybev.com (Apr 2011) - I have just updated these rules again, this time to move the MARKing into the mangle table and keep the DNAT in the nat table. I have not tested them yet though; please let me know if there are any problems. |
The following iptables rules are needed in your firewall. Add them to your system's firewall scripts, or alternatively put them in their own file, make it executable, and force it to run at system startup. | The following iptables rules are needed in your firewall. Add them to your system's firewall scripts, or alternatively put them in their own file, make it executable, and force it to run at system startup. | ||
- | |||
- | <html><code></html> | ||
<code> | <code> | ||
Line 89: | Line 87: | ||
$IPTABLES -A FORWARD -i eth0 -o ppp0 -j ACCEPT | $IPTABLES -A FORWARD -i eth0 -o ppp0 -j ACCEPT | ||
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE | $IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE | ||
+ | |||
</code> | </code> | ||
- | <html></code></html> | ||
===== Setting up rmtrack ===== | ===== Setting up rmtrack ===== | ||
Line 98: | Line 96: | ||
Create the file /usr/bin/rmtrack and make it executable with the following contents: | Create the file /usr/bin/rmtrack and make it executable with the following contents: | ||
- | <html><code></html> | + | /usr/sbin/conntrack -L \ |
- | + | ||
- | <code> | + | |
- | /usr/sbin/conntrack -L \ | + | |
|grep $1 \ | |grep $1 \ | ||
|grep ESTAB \ | |grep ESTAB \ | ||
Line 109: | Line 104: | ||
substr(\$6,5) \" -p tcp --orig-port-src \" substr(\$7,7) \" \ | substr(\$6,5) \" -p tcp --orig-port-src \" substr(\$7,7) \" \ | ||
--orig-port-dst 80\"); }" | --orig-port-dst 80\"); }" | ||
- | </code> | ||
- | <html></code></html> | ||
Note: the single command has been split over several lines | Note: the single command has been split over several lines | ||
Line 118: | Line 111: | ||
Sudo needs to be configured to allow the apache web server to issue certain iptables commands in order to allow clients to access the internet after they have signed up. Use visudo to add the following commands to the sudoers file: | Sudo needs to be configured to allow the apache web server to issue certain iptables commands in order to allow clients to access the internet after they have signed up. Use visudo to add the following commands to the sudoers file: | ||
- | <html><code></html> | + | www-data ALL = NOPASSWD: /sbin/iptables -I internet 1 -t mangle -m mac --mac-source ??\:??\:??\:??\:??\:?? -j RETURN |
+ | www-data ALL = NOPASSWD: /sbin/iptables -D internet -t mangle -m mac --mac-source ??\:??\:??\:??\:??\:?? -j RETURN | ||
+ | www-data ALL = NOPASSWD: /usr/bin/rmtrack [0-9]*.[0-9]*.[0-9]*.[0-9]* | ||
- | <code> | ||
- | www-data ALL = NOPASSWD: /sbin/iptables -I internet 1 -t mangle -m mac --mac-source ??\:??\:??\:??\:??\:?? -j RETURN | ||
- | www-data ALL = NOPASSWD: /sbin/iptables -D internet -t mangle -m mac --mac-source ??\:??\:??\:??\:??\:?? -j RETURN | ||
- | www-data ALL = NOPASSWD: /usr/bin/rmtrack [0-9]*.[0-9]*.[0-9]*.[0-9]* | ||
- | </code> | ||
- | <html></code></html> | ||
- | <html><strong></html>Note:<html></strong></html> Sudo does not use regular expressions, so the final rule is not as preferable as it should be. | + | Note: Sudo does not use regular expressions, so the final rule is not as preferable as it should be. |
===== PHP script ===== | ===== PHP script ===== | ||
Line 134: | Line 123: | ||
|For an example of how to retain a user's URL, have a look at the discussion page| | |For an example of how to retain a user's URL, have a look at the discussion page| | ||
- | |||
- | <html><code></html> | ||
<code> | <code> | ||
Line 228: | Line 215: | ||
?> | ?> | ||
</code> | </code> | ||
- | <html></code></html> | ||
===== In use ===== | ===== In use ===== |