The UNIX and Linux Forums  
Hello and Welcome from United States to the UNIX and Linux Forums! Thank You for Visiting and Joining Our Global Community.

Go Back   The UNIX and Linux Forums > Top Forums > UNIX for Dummies Questions & Answers
Reload this Page LAN traffic rerouting to web server
.
google unix.com

Forums Register Forum RulesLinksAlbums FAQ Members List Calendar Search Today's Posts Mark Forums Read



Thread: LAN traffic rerouting to web server
View Single Post in the UNIX and Linux Forums - Click on the Thread or Permalink to View Entire Thread -->
  #3 (permalink)  
Old 04-04-2008
J-Fal J-Fal is offline
Registered User
  
 

Join Date: Mar 2008
Posts: 2
Thank you for the term era. I'd never heard of a walled garden, but after a search did find out some info about how it could be set up.

What I've decided to do is use DNSmasq to act as a DHCP server on the LAN, then use iptables to do all the routing. I switched the IPs a little bit, but the idea is the same.

Router IP - 192.168.0.254
web server - 192.168.0.253
DHCP IPs - 192.168.0.1 - 192.168.0.8
Rarely connected machine for admin stuff - 192.168.0.171 (I know it's no more secure this way really, just a way to potentially log access)
Subnet - 255.255.255.0

Can you help me out and tell me if I'm going the right direction here?


iptables -t nat -A PREROUTING -p tcp -s 192.168.0.1-192.168.0.8 --dport 80 -j DNAT --to-destination 192.168.0.253:80

iptables -A INPUT -p tcp -s 192.168.0.171 -d 192.168.0.254 --dport 45170 -j ACCEPT

If a wireless client attempts to do anything with TCP, where the destination port is 80 (HTTP) its destination is changed to the web server IP and port, and the packet is routed there. The web server is running on Apache at port 80.

If I use an address outside of the DHCP assigned area ( .171 in this case), and the packet is destined for the router itself at a specific port, the router will allow that packet to go through (still need to know the username and 4096-bit passcode to get in). The firmware on the router allows for wireless clients to be oblivious to each other.

How would I blackhole all packets after this point? I mean, if the packet is anything other than a TCP packet destined for port 80 from a DHCP assigned LAN IP, or from my "special" IP to the router at the special 45170 port for administration, how would I go ahead and just drop that packet at that point? I know there are other things that have to be allowed before packets can just be dropped (ICMP echo requests can be dropped, all IPv6 packets)...

I'm new to iptables and find this a little confusing. I will have to go through the tables already on the router to see how I will need to alter them for what I need.

Thank you for all the help!