redirect unauthorized users to a login page (natd as a transparent proxy)

Ruslan Ermilov ru at freebsd.org
Sun Jun 8 16:02:11 PDT 2003 

On Mon, Jun 09, 2003 at 01:05:07AM +0300, Ruslan Ermilov wrote:
> On Sun, Jun 08, 2003 at 10:35:47PM +0200, Vaclav Petricek wrote:
> > 
> > Hello
> > 
> > I am trying to redirect all http traffic of unauthorized wifi users on a
> > wireless hotspot to a login page. The problem I have is that I can not
> > disable the regular address translation (I want the source address to stay
> > the same).
> > 
> > 10.0.0.7       is the wifi client
> > 195.250.155.29 is the web wifi user tries to access from his browser
> > 195.113.17.94  is my login page
> > 10.0.0.1       is the wifi interface on the server
> > 
> > What happens is
> > 
> > In  [TCP]  [TCP] 10.0.0.7:1036 -> 195.250.155.29:80 aliased to
> >            [TCP] 10.0.0.1:1036 -> 195.113.17.94:80
> > 
> > The natd configuration file:
> > -------------------------------------------------------------------------
> > interface wi0
> > port 1234
> > #proxy_only yes
> > reverse
> > proxy_rule port 80 server 195.113.17.94:80
> > -------------------------------------------------------------------------
> > 
> > Natd was run as natd -f /etc/natd.conf -v with
> > 00010 divert 1234 tcp from any to any via wi0
> > 
> > I was hoping proxy_only will do the trick but it does not seem to have
> > any impact and the source address is changed anyway.
> > 
> > A quick glance at the source did not help much to my understanding of the
> > proxy_only option.
> > 
> Confirmed as a bug.  The attached patch worked for me,
> please test it.  You'll have to recompile and reinstall
> libalias(3), then recompile and reinstall natd(8) with
> new library.
> 
I was too fast.  This patch doesn't work well.  It works
in a sense that it doesn't modify source IP address of
the proxied packets, but it doesn't work in a sense that
reply packets do not undergo de-aliasing.  The attached
patch is verified to work.  Please test it instead.


Cheers,
-- 
Ruslan Ermilov		Sysadmin and DBA,
ru at sunbay.com		Sunbay Software Ltd,
ru at FreeBSD.org		FreeBSD committer
-------------- next part --------------
Index: alias.c
===================================================================
RCS file: /home/ncvs/src/lib/libalias/alias.c,v
retrieving revision 1.36
diff -u -p -r1.36 alias.c
--- alias.c	23 Jul 2002 00:16:19 -0000	1.36
+++ alias.c	8 Jun 2003 22:38:36 -0000
@@ -1425,6 +1425,10 @@ PacketAliasOut(char *ptr,           /* v
             SetDefaultAliasAddress(pip->ip_src);
         }
     }
+    else if (packetAliasMode & PKT_ALIAS_PROXY_ONLY)
+    {
+        SetDefaultAliasAddress(pip->ip_src);
+    }
 
     iresult = PKT_ALIAS_IGNORED;
     if ((ntohs(pip->ip_off) & IP_OFFMASK) == 0)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030609/e33affd7/attachment.bin

More information about the freebsd-security mailing list