Re: [SLUG] Intercepting web requests and authenticating users?

From: Ian Blenke (
Date: Wed Feb 04 2004 - 11:34:19 EST

Ben Ostrowsky wrote:
> When I go to places that offer membership-based wireless access,
> any URL I try to go to will take me to the same login/signup page.
> How do they do that? Can I do it with Free software?

I assume you're talking about 802.11 wireless "hotspot" portals.

There are various active/captive wireless portals available with varying
methods of accomplishing what you're attempting to acheive. Here's the
PersonalTelco page that covers many of them:

The most common method is to setup an IP redirect rule when you are
first given a DHCP lease, and change/remove the redirect only after you
accept the AUP. This is really mere scripting with iptables rules.

You might also do some DNS trickery to respond to all queries with the
IP address of a local webserver. After authenticating, the nameserver
would be told to give the client correct DNS responses.

Some folks like DHCP trickery, which isn't all that reliable. Give the
client a lease with a short timeout, which puts them in a jailed
network. When they authenticate, start giving them a longer duration
"good" lease on a segment that is allowed out.

Still other networks prefer various VPN solutions or software agent
helpers that run on the client machine to configure it to talk over
their network.

Most wireless portals don't filter DNS requests as they should. In fact,
with a tool like nstx (, you can usually
tunnel IP packets over DNS to a gateway nameserver elsewhere. It's
amazing how many "secure" networks this works over - and how many
hotspots you no longer need to pay to use.

> I assume it has something to do with the router. Redirect everything to
> a proxy that checks for authentication, unless it's coming from the
> proxy itself (and is therefore authenticated)?

Redirecting is the key there.

Unless you can get the client to change their web browser proxy settings
(either zero-conf style with DHCP options, or manually), you're stuck
with a transparent proxy with which you cannot challenge for
authentication (due to various browser assumptions regarding non-proxied
http connections). Simply put, this alone will not solve your problem.

> Revised question: is there a not-painfully-difficult way to do this with
> Free software?

There are a few of them in the PersonalTelco list above.

- Ian C. Blenke - Director of Service Delivery <>
(This message bound by the following:
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS).  Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:23:12 EDT