Reply To: Captive portal not properly catching traffic

Home Page Forums Network Management RADIUS 802.1x and Captive Portal Captive portal not properly catching traffic Reply To: Captive portal not properly catching traffic

#53383

redfive
Participant

By enabling the Captive portal, some (hidden by gui) rules are add in the FW chains, in the FORWRAD chain is at the end, (click on view button).
If all your clients are behind the captive portal, and you’d to allow only some specific services , I’d proceed as follow..
firstly , create a new chain, eg. Allowed_Serv , then add one rule for each service that I want allow, eg.


1 * * RETURN tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:80
2 * * RETURN tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:443
3 * * RETURN tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:51490
4 * * RETURN tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:110
5 * * RETURN tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:587
6 * * RETURN tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:465
6 * * RETURN tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:993
7 * * RETURN tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpts:6500:6600
8 * * RETURN tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8
9 * * DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0

Then , in FORWARD chain, only(*) two rules, the first one, with action jump to chain Allowed_Serv, while the second one, will deny connections initiated from any ip which isn’t 192.168.1.99 and destinated to tcp port range 6500:6600


1 * * Allowed_Serv all -- ETH03 * 192.168.1.0/24 0.0.0.0/0
2 DROP tcp -- ETH03 * !192.168.1.99 0.0.0.0/0 tcp dpts:6500:6600

Very basic , but above all … not tested , you can try “at your own risk” 😆
(*)To be honest , you can do much more here, and also in input chain, but I don’t know what are , eg. your goals, or if you have some services which must be reacheable, and so on….

Regards