So here's an idea: don't use iptables. Just don't route the packets and resolve everything to your server.
Basically, the way I would do this is fairly simple: do *not* activate IP routing over the interfaces. That's enabled by default on most routers, so you'll need to turn that off using something like this: echo "0" > /proc/sys/net/ipv4/ip_forward Once that's done, packets are simply not routed between the interfaces. No need to mess around iptables (which I hate with a passion now). You *can* setup iptables anyways to block "from any to <your ip> port 80" (dunno what's that in iptables jargon) if you're paranoid but it's not necessary. Make sure your server listens to the interface you're interested in. Then hookup dnsmasq or any DNS server so that it resolves any domain to the IP of that interface. If dnsmasq can do that great, otherwise you could build a zonefile for . would have an entry like this: * IN A <yourip> And there you are: captive portal, simple and clean. What's going to be the hardest part here I think is to subvert whatever operating system you have here to actually *not* route packets. :) A. -- Thoughtcrime does not entail death: thoughtcrime IS death.
signature.asc
Description: Digital signature
_______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
