I have a pretty simple situation whereby I block internet access to clients behind my iptables firewall until they have been properly authenticated.
I set up a user-defined chain 'captive' with a default rule to redirect traffic to a local web server (that handles the authentication)...
iptables -t nat -A captive -i eth0 -j REDIRECT
This chain is traversed from nat's PREROUTING chain...
iptables -t nat -A PREROUTING -j captive
If/once the user authenticates, a script fires and inserts a 'short-circuit' rule into the captive chain. After completing, the captive chain looks like (which will allow client 192.168.1.222 to escape the wormhole)...
iptables -t nat -I captive -s 192.168.1.222 -j RETURN iptables -t nat -A captive -i eth0 -j REDIRECT
The problem...
My clients need to wait 10-15 seconds before trying to access the internet. Shorter waits (ie, user starting to surf the web too early) result in a re-capture (REDIRECT), as if the 'short circuit' rule had never been inserted. I suspect this is being caused by delays in iptables updating the rule base, and the rules making it into the kernel (via the netlink socket???).
Is there anything I can do to reduce/eliminate the delay in getting updates into the kernel? I have tried an 'iptables-save | iptables-restore' in the hope that the COMMITs in the restore would do what the docs say (iptc_commit the changes to the kernel), but this doesn't seem to help.
I'm running iptables v 1.2.11 on a 2.6.10 kernel.
This has been bugging me for days, so I'd really appreciate any suggestions, of even a confirmation that there's not much I can do about it (the delay). In the latter case, I can set my user expectations, which is not my preferred course of action.
Cheers, Iain
