Michael C. Toren on 9 Apr 2004 04:32:02 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] wireless networks, web browsing, and forced pages


On Thu, Apr 08, 2004 at 08:04:00PM -0400, sean finney wrote:
> 1) stub dns servers.  basically, you pool clients into two categories
>    (based on mac addresses typically).  the dhcp server gives the known
>    clients the standard network configuration, and gives the unknown
>    clients the same info except for the dns server, which is a different
>    machine (or bind view for the bind9 servers) that resolves all ns
>    queries to a single address.  so no matter where you go, you get
>    their page and have to register/pay/authenticate/whatever.  of course,
>    for the l33t h4x0rz this is easy to circumvent.

If you're not careful with the TTL returned this method can cause
problems once a client authenticates and wishes to visit the website
they were attempting to access when they were first hijacked to be
presented with the login page.

> 2) ip routing and a forced proxy.  a little harder to get around, they
>    have funky arp or nat rules set up to rewrite packets and redirect them
>    to their web server, unless you're going through their authenticated
>    proxy.

This is very easy to implement using just iptables and apache.  I
recently used the following iptables configuration for a consulting
customer:

    # don't hijack packets with a mark of 1 (authenticated users)
    iptables -t nat -A PREROUTING -i eth2 -m mark --mark 1 -j ACCEPT
    
    # don't hijack connections to our webserver
    iptables -t nat -A PREROUTING -i eth2 --dst www -p tcp --dport 80 -j ACCEPT
    
    # hijack all other http requests
    iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 \
    	-j REDIRECT --to-ports 8080

combined with the following apache configuration:

	Listen 1.2.3.4:8080

	<VirtualHost 1.2.3.4:8080>
	ServerAdmin webmaster@foo.com
	DocumentRoot /var/www/auth/
	RewriteEngine on
	RewriteRule .* http://auth.foo.com/? [R]
	</VirtualHost>

to achieve the same result.

-mct
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug