Re: [PLUG] wireless networks, web browsing, and forced pages

Michael C. Toren on 9 Apr 2004 04:32:02 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] wireless networks, web browsing, and forced pages

From: "Michael C. Toren" <mct@toren.net>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] wireless networks, web browsing, and forced pages

Date: Fri, 9 Apr 2004 00:31:01 -0400

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

On Thu, Apr 08, 2004 at 08:04:00PM -0400, sean finney wrote: > 1) stub dns servers. basically, you pool clients into two categories > (based on mac addresses typically). the dhcp server gives the known > clients the standard network configuration, and gives the unknown > clients the same info except for the dns server, which is a different > machine (or bind view for the bind9 servers) that resolves all ns > queries to a single address. so no matter where you go, you get > their page and have to register/pay/authenticate/whatever. of course, > for the l33t h4x0rz this is easy to circumvent. If you're not careful with the TTL returned this method can cause problems once a client authenticates and wishes to visit the website they were attempting to access when they were first hijacked to be presented with the login page. > 2) ip routing and a forced proxy. a little harder to get around, they > have funky arp or nat rules set up to rewrite packets and redirect them > to their web server, unless you're going through their authenticated > proxy. This is very easy to implement using just iptables and apache. I recently used the following iptables configuration for a consulting customer: # don't hijack packets with a mark of 1 (authenticated users) iptables -t nat -A PREROUTING -i eth2 -m mark --mark 1 -j ACCEPT # don't hijack connections to our webserver iptables -t nat -A PREROUTING -i eth2 --dst www -p tcp --dport 80 -j ACCEPT # hijack all other http requests iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 \ -j REDIRECT --to-ports 8080 combined with the following apache configuration: Listen 1.2.3.4:8080 <VirtualHost 1.2.3.4:8080> ServerAdmin webmaster@foo.com DocumentRoot /var/www/auth/ RewriteEngine on RewriteRule .* http://auth.foo.com/? [R] </VirtualHost> to achieve the same result. -mct ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] wireless networks, web browsing, and forced pages
From: sean finney <seanius@seanius.net>

References:

[PLUG] wireless networks, web browsing, and forced pages
From: Jeff Abrahamson <jeff@purple.com>

Re: [PLUG] wireless networks, web browsing, and forced pages
From: sean finney <seanius@seanius.net>

Prev by Date: Re: [PLUG] Iptables Nat Port Forwarding

Next by Date: Re: [PLUG] wireless networks, web browsing, and forced pages

Previous by thread: Re: [PLUG] wireless networks, web browsing, and forced pages

Next by thread: Re: [PLUG] wireless networks, web browsing, and forced pages

Index(es):

Date

Thread