4

I have a Radius server doing Mac Auth on VLANs. If the MAC address isn't in the allowed table, the user is put into a separate VLAN. What I want to do on that separate VLAN, is have my Debian server giving out IP's via a DHCP server.

What I need help with is the following: how do I use iptables to redirect all access from the clients to my webpage? I want to serve the webpage so they can register their device. I have a DHCP setup working as well as Apache, I just can't seem to get iptables to redirect this traffic.

PersonalNexus
  • 292
  • 2
  • 11
John
  • 41
  • 1
  • 1
  • 2

1 Answers1

4

I believe you are looking for Destination NAT target in the PREROUTING chain. This redirects any request coming across the interface to the desired destination. (Your registration server.)

/sbin/iptables -t nat -A PREROUTING -s [source network/mask] -p tcp --dport 80 -j DNAT --to-destination [your webserver]

This is described in detail on the famous site Upside-Down-Ternet where Wi-Fi leeches are redirected to kittenwar. http://www.ex-parrot.com/~pete/upside-down-ternet.html

Aaron Copley
  • 12,525
  • 5
  • 47
  • 68
  • following that i get a no chains error, which is fine, easy to fix, i added -t nat before the -A...still doesn't work, is there anything else I need to do in iptables for this to work? – John Feb 29 '12 at 20:30
  • Shouldn't be any thing, but I can't test it at the moment to verify. I've used the instructions in the link before and compared to the same in the book, "Linux iptables Pocket Reference." Rather than matching on the source network, try `-i eth0` (or whatever your interface is.) – Aaron Copley Feb 29 '12 at 20:36
  • Also, to eliminate any other source of trouble, your registration server is listening on port 80, right? Could I see the whole rule that you have in place? And it's not listed after a drop/reject rule, right? – Aaron Copley Feb 29 '12 at 20:46
  • Yes webserver is listening on 80, on the client I can go to the destination address in iptables and it works. `# Generated by iptables-save v1.4.8 on Wed Feb 29 15:50:22 2012 *nat :PREROUTING ACCEPT [1:33] :POSTROUTING ACCEPT [1:132] :OUTPUT ACCEPT [1:132] -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.147.249 COMMIT # Completed on Wed Feb 29 15:50:22 2012` – John Feb 29 '12 at 20:50
  • And this host is your gateway on that VLAN? I can't imagine why it isn't working. – Aaron Copley Feb 29 '12 at 20:56
  • thats what i want it to be, just a gateway on that vlan. host has 1 nic in it because i don't want it routing traffic out, just anyone in this vlan, when they open browser, they get redirected to register then radius puts them in separate vlan for browing. i must be missing something with iptables... – John Feb 29 '12 at 20:59
  • totally worked for me! Thanks! I just need something to handle 443 traffic and redirect it to port 80 on the other webserver but I loved this. thanks :) – Pitto Apr 13 '13 at 23:51
  • the question is to redirect all traffic. And this response is limited to redirecting traffic from port 80. And what about 443? – acgbox Dec 15 '22 at 13:59
  • @acgbox 1) It's not redirecting _from_ port 80. (It's using dport, not sport, which is ephemeral.) 2) You modify the rule for 443. Not sure what you're trying to do - maybe ask a new question as this is more than 10 years old? – Aaron Copley Dec 17 '22 at 18:33