Sean, Sorry for the lack of information. When a dialup user logs in, we go and check their username/password (basic stuff). We have different settings in our database of accounts determing that they are active, removed, etc, and the whole end result would be something like this: Customer A hasn't paid us for the internet service, so we are going to set him to the "billing" status (we give them an ip in the range of 192.168.153.*). When Customer A logs in, they can connect up just fine. But when they try to visit a webpage, for instance www.google.com, they are going to get "You need to pay us or no internet for you" message. Once we get this working, we plan to extend this for people with multiple logins at the same time, and other things that people do to irritate us.
Now we have two different "You need to pay us ..." webpages. One is a generic page, and the other is a page that shows who they are, how much they owe us, and a confirmation that they saw the message and will pay us (thus removing them from the billing status). We want the later page for all the billing status, otherwise our phones would be ringing off the hook. The script we have uses iptables. For now, I am excepting all in, out, and forward packets (will change later, but want to get it working first). our script looks something like this: echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp -s 192.168.153.0/24 -j DNAT --to-destination $WEBPAGE iptables -t nat -A POSTROUTING -j MASQUERADE Just to clarify things a bit more, we are using the MASQUERADE option because once the webserver sends an acknowledgement packet back to the client, it never makes it back. Thanks! Brad ----- Original Message ----- From: "Sean Estabrooks" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, August 21, 2003 2:36 PM Subject: Re: Proxy server > On Thu, 21 Aug 2003 14:24:04 -0400 > "Brad Hittle" <[EMAIL PROTECTED]> wrote: > > > Sean, > > > > We keep a status for the dialup account users. When they logon, they > > recieve a specific IP from us denoting status (ie if they are in the billing > > status the ip would range from 192.168.153.*). > > > > When we only use DNAT, the packets never make their way back to the client > > machine. Thats why we are routing the packet back through the proxy server. > > I have sniffed every possible place along the line using only the DNAT > > (excluding the router, and some other machines it must go through), and have > > seen everything working properly. > > > > Brad > > > > > > > > Hey Brad, > > Not sure i understand your configuration well enough to help much, but > if you post your iptables(?) rules for DNAT someone may be able to help. > I'm interested to know what you mean by "they recieve a specific IP from us", > do you mean in your billing system or do you actually modify their > incoming ip in someway "on the wire". > > Sean > > > -- > redhat-list mailing list > unsubscribe mailto:[EMAIL PROTECTED] > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
