Re: Software for WLAN Hotspot

[Kay-Michael Voit <debian@voits.net>]

> > If we work with iptables, we have to authenticate the client in some
> > way. Though I think it is possible to extend iptables, this would
> > exceed my abilitys a lot.
> >    
>
> But maybe would be the cleanest / best solution :-) Okay then ...
>  
I fully agree, but as I said, it exeeds my skill, I think....

> > So, I would use existing possibilitys, of which mac address
> > filtering is the safest for my purpose.
> >
> > Now there are two possibilities:
> > 1. Writing a web-based interface, for example with PHP, to log in.
> > Then a C/C++ based daemon adds some iptablesrules, which allow the
> > client to go online. +: platform independent -: one has to enter his
> > MAC address, for I don't know any possibility to determine ones ip
> > through PHP (and I don't think this is possible?)
> >    
>
> It's possible to read his ip with PHP. It's in the enviroment-
> variables when he executes your php-script to login in. But I don't 
> know of actually translating it to the mac for inserting into your 
> iptable-rules.
Yes, I know, I'm just too stupid, reading my message again you will 
notice, that I wanted to write MAC adress.
IP is |$_SERVER[REMOTE_ADDR] but I don't think this is usefull here.
Any solution how to determine the MAC automatically?|

> > 2. Daemon as above, but with clientsoftware which sends password and
> > MAC-address to server. (because they are one-time, they can be
> > transmitted plaintext) +: See above -: Clientsoftware...
> >    
>
> Bad because client-software.
>
> All the "big" firms do it via webbrowser so I think that's the way to 
> go.
>  
That's what I said.... but it is the easiest solution. Perhaps one could 
do both client and webinterface, like some ISP provide a Dial-Up 
Software though it's possible to dial up"normally"

> Well all okay. But how do you want a user to log off automatically? 
> E.g. if there is no traffic from his IP for the last 15 minutes you 
> want to automatically log him off, right? One way would be to use a 
> browser-window that remains open (small one) and is reloaded every 
> minute. This way you can timeout a user easily.
Or you can letr the daemon watch logs. Just log every new connection 
(synbit set) with iptables and filter the address.

> Btw: Using this solution you can add a rule when the user is "logged 
> off" like: requests for http (port 80) to any ip rewrite to local 
> apache (for logging in). If somebody is logged out and tries to 
> access any webpage in the "open world" he's redirected to your 
> apache.
nice idea

> Hmm ... the more I think about it, the simpler this solution looks :-
> )
There must be a snag, if it is easy enough for me to code :)

> Give it a try. And please keep me posted on your findings.
I'll try