User Tools

Site Tools


using_iptables_and_php_to_create_a_captive_portal

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
using_iptables_and_php_to_create_a_captive_portal [2018/12/06 19:59]
abeverley
using_iptables_and_php_to_create_a_captive_portal [2020/05/29 09:49]
abeverley
Line 1: Line 1:
 =====Using iptables and PHP to create a captive portal===== =====Using iptables and PHP to create a captive portal=====
  
-|Unfortunately I have had to lock this page, due to the amount ​of spam it received. If you would like to make contribution,​ please email me, andy@andybev.com|+|Please note: this page is very out of date, having been originally created several years ago. That said, the principle ​of the methods should still work, so would provide the basis for similar system.|
  
 There are various captive portal software packages available (both free and open source) that will allow you to setup an internet access facility that people have to logon to first. None of the packages I tried did what I wanted and they were not particularly customisable. Therefore I created my own, using a few iptables rules and PHP (along with a handful of other standard packages). This page details the steps that were taken. The key to this method as opposed to other iptables based solutions is that tracking information is removed after the user has signed up. Failure to do this will sometimes cause the user to still be redirected to your logon page even after they have signed up. There are various captive portal software packages available (both free and open source) that will allow you to setup an internet access facility that people have to logon to first. None of the packages I tried did what I wanted and they were not particularly customisable. Therefore I created my own, using a few iptables rules and PHP (along with a handful of other standard packages). This page details the steps that were taken. The key to this method as opposed to other iptables based solutions is that tracking information is removed after the user has signed up. Failure to do this will sometimes cause the user to still be redirected to your logon page even after they have signed up.
Line 37: Line 37:
 In this example a flat file is used to store all the details of users already registered (/​var/​lib/​users). Depending on your Apache setup, you may need to locate the file in the Apache root directory. It is in the following format: In this example a flat file is used to store all the details of users already registered (/​var/​lib/​users). Depending on your Apache setup, you may need to locate the file in the Apache root directory. It is in the following format:
  
-Name <​html><​tab></​html> ​Email <​html><​tab></​html> ​Client IP <​html><​tab></​html> ​Client MAC <​html><​tab></​html> ​Date+Name  Email  Client IP  Client MAC  Date
  
 ===== Firewall rules required ===== ===== Firewall rules required =====
  
-<​html><​strong></​html>​By andy@andybev.com (Apr 2011) - I have just updated these rules again, this time to move the MARKing into the mangle table and keep the DNAT in the nat table. I have not tested them yet though; please let me know if there are any problems.<​html></​strong></​html>​+By andy@andybev.com (Apr 2011) - I have just updated these rules again, this time to move the MARKing into the mangle table and keep the DNAT in the nat table. I have not tested them yet though; please let me know if there are any problems.
  
 The following iptables rules are needed in your firewall. Add them to your system'​s firewall scripts, or alternatively put them in their own file, make it executable, and force it to run at system startup. The following iptables rules are needed in your firewall. Add them to your system'​s firewall scripts, or alternatively put them in their own file, make it executable, and force it to run at system startup.
  
-<​html>​<​code>​</​html>​ +<​code>​
 IPTABLES=/​sbin/​iptables IPTABLES=/​sbin/​iptables
  
Line 89: Line 88:
 $IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
  
-<​html>​</code></​html>+</​code>​
  
 ===== Setting up rmtrack ===== ===== Setting up rmtrack =====
Line 97: Line 96:
 Create the file /​usr/​bin/​rmtrack and make it executable with the following contents: Create the file /​usr/​bin/​rmtrack and make it executable with the following contents:
  
-<​html><​code></​html>​ +  ​/​usr/​sbin/​conntrack -L \
- +
-/​usr/​sbin/​conntrack -L \+
     |grep $1 \     |grep $1 \
     |grep ESTAB \     |grep ESTAB \
Line 107: Line 104:
             substr(\$6,​5) \" -p tcp --orig-port-src \" substr(\$7,​7) \" \             substr(\$6,​5) \" -p tcp --orig-port-src \" substr(\$7,​7) \" \
             --orig-port-dst 80\"); }"             --orig-port-dst 80\"); }"
-<​html></​code></​html>​ 
  
 Note: the single command has been split over several lines Note: the single command has been split over several lines
Line 115: Line 111:
 Sudo needs to be configured to allow the apache web server to issue certain iptables commands in order to allow clients to access the internet after they have signed up. Use visudo to add the following commands to the sudoers file: Sudo needs to be configured to allow the apache web server to issue certain iptables commands in order to allow clients to access the internet after they have signed up. Use visudo to add the following commands to the sudoers file:
  
-<​html><​code><​/html>+  www-data ALL = NOPASSWD: ​/sbin/​iptables -I internet 1 -t mangle -m mac --mac-source ??​\:??​\:??​\:??​\:??​\:??​ -j RETURN 
 +  www-data ALL = NOPASSWD: /​sbin/​iptables -D internet -t mangle -m mac --mac-source ??​\:??​\:??​\:??​\:??​\:??​ -j RETURN 
 +  www-data ALL = NOPASSWD: /​usr/​bin/​rmtrack [0-9]*.[0-9]*.[0-9]*.[0-9]*
  
-www-data ALL = NOPASSWD: /​sbin/​iptables -I internet 1 -t mangle -m mac --mac-source ??​\:??​\:??​\:??​\:??​\:??​ -j RETURN 
-www-data ALL = NOPASSWD: /​sbin/​iptables -D internet -t mangle -m mac --mac-source ??​\:??​\:??​\:??​\:??​\:??​ -j RETURN 
-www-data ALL = NOPASSWD: /​usr/​bin/​rmtrack [0-9]*.[0-9]*.[0-9]*.[0-9]* 
-<​html></​code></​html>​ 
  
-<​html><​strong></​html>​Note:<​html></​strong></​html> ​Sudo does not use regular expressions,​ so the final rule is not as preferable as it should be.+Note: Sudo does not use regular expressions,​ so the final rule is not as preferable as it should be.
  
 ===== PHP script ===== ===== PHP script =====
Line 130: Line 124:
 |For an example of how to retain a user's URL, have a look at the discussion page| |For an example of how to retain a user's URL, have a look at the discussion page|
  
-<​html>​<​code>​</​html>​ +<​code>​
 <?php <?php
  
Line 221: Line 214:
  
 ?> ?>
-<​html>​</code></​html>+</​code>​
  
 ===== In use ===== ===== In use =====
using_iptables_and_php_to_create_a_captive_portal.txt · Last modified: 2020/05/29 09:49 by abeverley