Page 1 of 1

Using IpTables to create a captive portal

Posted: Thu Dec 22, 2016 5:10 pm
by ITraccoon
First of all, hello this is my first time posting here although I have used this forum to find some answers before.
I’m working on a project where I use a Raspberry Pi 3B as Accesspoint (I did this using HostAPD and ISC-DHCP-server) so far so good. But now I’m trying to find a way for connecting users to get a redirect to my captive portal page, they also can’t access the internet before they login to the captive portal. And after they successively login to the captive portal the redirect to the portal must stop and they need to get internet access (This must happen using IpTables).
My captive portal is not hosted on the Pi but in a virtual Ubuntu 16 server running on my laptop that is directly connected to my Pi.
To make this as clear as possible see the infrastructure image bellow:
IpTables1.png
IpTables1.png (38.05 KiB) Viewed 1920 times
When I use my test device I can connect to my Raspberry Pi SSID using my test device, I have instant internet access and when I enter the IP from the webserver I can login to my captive portal page (so the first part works just fine).
I have Googled my *** off trying to find a good way to do the IpTables but I can’t seem to figure it all out. All tough I have been inspired, this is what I want to accomplish:
IpTables MARK.png
IpTables MARK.png (43.65 KiB) Viewed 1920 times
So when the Pi boots a script has to run that adds rules to IpTables:
# Create a mangle chain called Internet
sudo iptables -N internet -t mangle

# First send all traffic via newly created internet chain
sudo iptables -t mangle -A PREROUTING -j internet

# MAC address not found. Mark the packet 99
sudo iptables -t mangle -A internet -j MARK --set-mark 99

# Redirects web requests from Unauthorized users to logon Web Page
sudo iptables -t nat -A PREROUTING -m mark --mark 99 -p tcp --dport 80 -j DNAT --to-destination 192.168.137.194

# Now that we've got to the forward filter, drop all packets
# marked 99 - these are unknown users. We can't drop them earlier
# as there's no filter table
sudo iptables -t filter -A FORWARD -m mark --mark 99 -j DROP

As you can see I am missing some bits and pieces, anyone care to help me out?

Re: Using IpTables to create a captive portal

Posted: Thu Nov 29, 2018 3:10 am
by FabianK
Did you ever found de answer to this? I could really use it right now.