Hello there, I'm trying to do something similar. When an enduser tries to go to Internet, the browser is redirected to an authentication page, then the webserver that contains that page inserts a rule in the firewall to allow that computer to go to Internet. It must be something like this, as no programs should be installed on the enduser's machine. What I was trying to do (without success) was, set a redirector policy that applies to the unauthenticated traffic. The thing is that redirection and dynamic nat are defined on different rules (PREROUTING, POSTROUTING). This is if I'm working with nat, I haven't thought of a way to require authentication when just routing. Some of the things I'm trying: ## redirector $IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p TCP --destination-port 80 -j REDIRECT --to-port 81 # The web server listens on port 81 ## insert rule for each client $IPTABLES -t nat -I POSTROUTING -o $INTERNET_IFACE -m mac --mac-source $CLIENT_MAC -j MASQUERADE Any thoughts are welcome. El Mié 25 Ago 2004 11:50, Cedric Blancher escribió: > Le mer 25/08/2004 à 18:46, Hihn, Jason a écrit : > > I have devised the following acceptable scheme: > > A firewall that rejects all traffic to everyone, except for one > > port. This one port is used to authenticate an IP address through a > > challenge/response algorithm. > > If successful, the IP is then allowed through the firewall. > > Si NuFW at http://www.nufw.org/. Theses guys have achieved quite > impressive work. You definitly must try this. -- Atentamente, Nicolás Velásquez Bogotá, Colombia (^) ASCII Ribbon Campaign X NO HTML/RTF in e-mail / \ NO Word docs in e-mail
