redirect unauthorized users to a login page (natd as a transparent proxy)

Ruslan Ermilov ru at freebsd.org
Sun Jun 8 15:05:16 PDT 2003 

On Sun, Jun 08, 2003 at 10:35:47PM +0200, Vaclav Petricek wrote:
> 
> Hello
> 
> I am trying to redirect all http traffic of unauthorized wifi users on a
> wireless hotspot to a login page. The problem I have is that I can not
> disable the regular address translation (I want the source address to stay
> the same).
> 
> 10.0.0.7       is the wifi client
> 195.250.155.29 is the web wifi user tries to access from his browser
> 195.113.17.94  is my login page
> 10.0.0.1       is the wifi interface on the server
> 
> What happens is
> 
> In  [TCP]  [TCP] 10.0.0.7:1036 -> 195.250.155.29:80 aliased to
>            [TCP] 10.0.0.1:1036 -> 195.113.17.94:80
> 
> The natd configuration file:
> -------------------------------------------------------------------------
> interface wi0
> port 1234
> #proxy_only yes
> reverse
> proxy_rule port 80 server 195.113.17.94:80
> -------------------------------------------------------------------------
> 
> Natd was run as natd -f /etc/natd.conf -v with
> 00010 divert 1234 tcp from any to any via wi0
> 
> I was hoping proxy_only will do the trick but it does not seem to have
> any impact and the source address is changed anyway.
> 
> A quick glance at the source did not help much to my understanding of the
> proxy_only option.
> 
Confirmed as a bug.  The attached patch worked for me,
please test it.  You'll have to recompile and reinstall
libalias(3), then recompile and reinstall natd(8) with
new library.


Cheers,
-- 
Ruslan Ermilov		Sysadmin and DBA,
ru at sunbay.com		Sunbay Software Ltd,
ru at FreeBSD.org		FreeBSD committer
-------------- next part --------------
Index: alias.c
===================================================================
RCS file: /home/ncvs/src/lib/libalias/alias.c,v
retrieving revision 1.36
diff -u -p -r1.36 alias.c
--- alias.c	23 Jul 2002 00:16:19 -0000	1.36
+++ alias.c	8 Jun 2003 21:56:06 -0000
@@ -1057,7 +1057,8 @@ TcpAliasOut(struct ip *pip, int maxpacke
 
     link = FindUdpTcpOut(pip->ip_src, pip->ip_dst,
                          tc->th_sport, tc->th_dport,
-                         IPPROTO_TCP, 1);
+                         IPPROTO_TCP,
+                         !(packetAliasMode & PKT_ALIAS_PROXY_ONLY));
     if (link !=NULL)
     {
         u_short alias_port;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030609/4c3c4bc2/attachment.bin

More information about the freebsd-security mailing list