create a captive portal

Jim Carter jimc at math.ucla.edu
Fri Jan 3 05:20:01 EST 2003


On Thu, 2 Jan 2003, Jesus Molina wrote:
> I want to set a captive portal. The system is very simple, just an AP
> connected directly to a laptop. How can I force any communication to the
> AP to be directed to a local webpage on the laptop? I am using LYNKSYS AP.

I'm not 100% sure what you're trying to accomplish, but here's a guess:
You have an AP, a laptop, and a wired Ethernet with only those two on it.
When a client's wireless machine connects to the AP and sends HTTP traffic
(port 80) to any IP address whatever, you want to serve one web page off
the laptop.  (Traffic to other ports like ssh and smtp can just be
dropped.)

The UCLA library does something like this, using a proprietary solution
from Cisco (I think).  The web page is a form asking for authentication,
and if satisfactory the CGI does magic stuff on the Cisco box letting the
client's packets be routed.

If I were doing this on Linux:

1.  Server machine has 2 interfaces and is configured as a router.

2.  Server has a DNS server set to forward only; when clients refer to a
hostname (e.g. www.google.com) your DNS will translate it for them using
the second interface which goes to the global internet.  Otherwise they can
never send the first content packet which your server will then hijack.

3.  DHCP server on the server host passes out IP addresses, and declares
the server to be the default gateway and to be the DNS server.  Note, you
will never see packets from the AP (except for remote administration); it
acts like a transparent bridge to the client machines which are using the
IP addresses you give them.

4.  iptables on the server host are as fascist as you need, e.g. every
packet from the interface having the AP is tossed (except traffic to-from
the server itself, for DNS and remote administration), except...

5.  Packets to port 80 (any destination IP) from the AP's address range
and/or physical interface get either the DNAT or REDIRECT treatment (see
the man page of iptables) and are sent to (respectively) a prespecified
other IP address or to the localhost (127.0.0.1).

6.  Since the requested web page can never be found on the captive web
server, its error page will present the captive content.  (Unless the
purpose is to be a web proxy like Squid.)  You have to take it from there
according to what you are trying to accomplish :-)

Good luck; it sounds like an interesting project.  You're at CMU; is this a
class project?  (In which case I shouldn't be giving you too much help :-)

James F. Carter          Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
Email: jimc at math.ucla.edu  http://www.math.ucla.edu/~jimc (q.v. for PGP key)




More information about the wireless mailing list