On Wed, 2005-11-16 at 17:42 +0300, compuomari wrote: > Dears, > I have a scenario that is somehow making me have a hardtime , i have a > wiless access point that get the internat access from my linux box, i > want any user that uses my internet to get a lnading page for my self ( > some kind of advertisment ) and then go to the internet , i don't need > authentication , but i dont want this landing page occuring many more > than once for the user ... anyhow , how can i do it with iptables? i > want to DNAT all users to an internal apache server , then SNAT them to > the inernet , how is that possible? double natting? proxying ? i need > your help .. i have effectively done this, (it is a registration system for the campus that i work at). overview: 1) use the mangle table to determine if users are forced (dnat'ed) to the landing page (internal apache server) 2) use apache's mod_rewrite to capture any document in the web space. 3) once they view the page and click a link or hit a submit button have a cgi that add's their ip to the mangle table that allows them passage through the firewall (without being dnat'ed). also this cgi can print out a http location header to send them to the original web site that they wanted to go to. the system that i helped build is mildly complex and consists of a database for user tracking, scanning (using nessus), radius authentication, ucarp (unfortunately not working yet), and other things. but a stripped down version could be done with just one or two cgi's and some firewall rules. -matt zagrabelny
