create a captive portal

Jesus Molina chus at cs.umd.edu
Fri Jan 3 07:58:08 EST 2003


Thanks everybody for the reply. I have heard before about NoCatAuth, and
it looks like a very interesting project. But
as I said, I will go for simplicity. I dont want to authenticate anybody.
If a followed Jim's email right, setting that up is only a bunch of
scripts:

-put the AP in bridge mode,( or use a softAP with bridging enabled in the
kernel, and "bridge" to the local machine )
-Run dhcpd in the server. Send a local IP to the client, with gateway and
dns server the local machine
-Run dns server in the machine, giving always the local IP of the machine,
no matter what adress in requested, or run Iptables with REDIRECT (never
heard of that option, thanks for the pointer)
-Configure Iptables accordingly

Anyway, I will take a deeper look into the script in NoCatAuth
And, for the record, that is mostly a personal project ;)
-Jesus



On Thu, 2 Jan 2003, Jim Carter wrote:

> On Thu, 2 Jan 2003, Jesus Molina wrote:
> > I want to set a captive portal. The system is very simple, just an AP
> > connected directly to a laptop. How can I force any communication to the
> > AP to be directed to a local webpage on the laptop? I am using LYNKSYS AP.
>
> I'm not 100% sure what you're trying to accomplish, but here's a guess:
> You have an AP, a laptop, and a wired Ethernet with only those two on it.
> When a client's wireless machine connects to the AP and sends HTTP traffic
> (port 80) to any IP address whatever, you want to serve one web page off
> the laptop.  (Traffic to other ports like ssh and smtp can just be
> dropped.)
>
> The UCLA library does something like this, using a proprietary solution
> from Cisco (I think).  The web page is a form asking for authentication,
> and if satisfactory the CGI does magic stuff on the Cisco box letting the
> client's packets be routed.
>
> If I were doing this on Linux:
>
> 1.  Server machine has 2 interfaces and is configured as a router.
>
> 2.  Server has a DNS server set to forward only; when clients refer to a
> hostname (e.g. www.google.com) your DNS will translate it for them using
> the second interface which goes to the global internet.  Otherwise they can
> never send the first content packet which your server will then hijack.
>
> 3.  DHCP server on the server host passes out IP addresses, and declares
> the server to be the default gateway and to be the DNS server.  Note, you
> will never see packets from the AP (except for remote administration); it
> acts like a transparent bridge to the client machines which are using the
> IP addresses you give them.
>
> 4.  iptables on the server host are as fascist as you need, e.g. every
> packet from the interface having the AP is tossed (except traffic to-from
> the server itself, for DNS and remote administration), except...
>
> 5.  Packets to port 80 (any destination IP) from the AP's address range
> and/or physical interface get either the DNAT or REDIRECT treatment (see
> the man page of iptables) and are sent to (respectively) a prespecified
> other IP address or to the localhost (127.0.0.1).
>
> 6.  Since the requested web page can never be found on the captive web
> server, its error page will present the captive content.  (Unless the
> purpose is to be a web proxy like Squid.)  You have to take it from there
> according to what you are trying to accomplish :-)
>
> Good luck; it sounds like an interesting project.  You're at CMU; is this a
> class project?  (In which case I shouldn't be giving you too much help :-)
>
> James F. Carter          Voice 310 825 2897    FAX 310 206 6673
> UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
> Email: jimc at math.ucla.edu  http://www.math.ucla.edu/~jimc (q.v. for PGP key)
>
>




More information about the wireless mailing list