My university did something like this years ago. I doubt it was anything special. They "moved you from one VLAN to another" after authenticating against our univerty account, all from a web page. We were not automatically directed to the page, but it was the only one we could get to, aside from university resources. I have been investigating all the responses I have gotten so far, and I think they'll all work for you. Nufw is critical if you're terminal-server based. > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter- > bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Nicolás Velásquez O. > Sent: Wednesday, August 25, 2004 12:42 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: Authentication in a Firewall Question > > > Hello there, > > I'm trying to do something similar. > > When an enduser tries to go to Internet, the browser is redirected to an > authentication page, then the webserver that contains that page inserts > a rule in the firewall to allow that computer to go to Internet. > > It must be something like this, as no programs should be installed on > the enduser's machine. > > What I was trying to do (without success) was, set a redirector policy > that applies to the unauthenticated traffic. The thing is that > redirection and dynamic nat are defined on different rules (PREROUTING, > POSTROUTING). This is if I'm working with nat, I haven't thought of a > way to require authentication when just routing. > > Some of the things I'm trying: > ## redirector > $IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p TCP --destination-port > 80 -j REDIRECT --to-port 81 # The web server listens on port 81 > > ## insert rule for each client > $IPTABLES -t nat -I POSTROUTING -o $INTERNET_IFACE -m mac --mac-source > $CLIENT_MAC -j MASQUERADE > > > Any thoughts are welcome. > > > El Mié 25 Ago 2004 11:50, Cedric Blancher escribió: > > Le mer 25/08/2004 à 18:46, Hihn, Jason a écrit : > > > I have devised the following acceptable scheme: > > > A firewall that rejects all traffic to everyone, except for one > > > port. This one port is used to authenticate an IP address through a > > > challenge/response algorithm. > > > If successful, the IP is then allowed through the firewall. > > > > Si NuFW at http://www.nufw.org/. Theses guys have achieved quite > > impressive work. You definitly must try this. > > -- > > Atentamente, > Nicolás Velásquez > Bogotá, Colombia > > (^) ASCII Ribbon Campaign > X NO HTML/RTF in e-mail > / \ NO Word docs in e-mail > __________________________________________________________________________________________
