Redirect all web traffic on my network...

S

seanx

2[H]4U
Joined
Aug 1, 2001
Messages
3,191
Im helping with a LAN party ( www.massivelan.com ) and just got done setting up a system for registering users on our network, but for it to work effectivly we need to make it so all web traffic will be redirected to our web server for them to register. I know this can be setup within the DNS config, I just havent been able to figure out where or how yet. We are running this server on FreeBSD 4.8. Ive been searching google a bit and about the only thing Ive found is I have to setup a wildcard record that resolves everything to my web server. But Im not exactly sure about how to go about that. Ive never messed with DNS befor. So Im just wondering how its done. But its late and I have to get going to sleep so Ill check back tomorrow.

Thanks for any help,

--Sean
 
dns records only do so much. Someone can still just feed an external dns IP, and they get access.

I might do something like this:

Setup the firewall to redirect all traffic headed outside to port 80 on the web server for registration. At registration, have the web script that does the registration update the firewall to allow that IP through.

While this still allows someone to steal a known IP, it's much harder to do.

What server/firewall do you have?
 
Check out squid and see if you could just block normal outgoing web traffic and force all users to get web traffic through the proxy server. I think squid can handle the rest. They can use external DNS all they want, but if the only open port through the firewall is for the proxy server then oh well.
 
Thanks for the replies.

Well the thing is, there wont be internet at the lan( from what I know at least ) so Im not worried about people putting in external IP addresses, Im just setting it up so it makes it easier when people come in the door. They just have to open their browser and it will take them right to the registration page without them haveing to type anything.

I could still trying doing it though the firewall. Im useing FreeBSD 4.8 which comes with IPFW. Im new to FreeBSD and haven't messed with the firewall at all yet so Ill have to read up on that for a bit.

Thanks again, Ill reply if I figure anything new out,

--Sean
 
I was just thinking..

Seince there is going to be no internet, isnt there going to have to be a DNS server? Because if not, when people put any address its not going to be able to do a dns lookup to get the IP so it will never send any traffic on port 80. Or do I have the whole way dns lookups work wrong. Even if there is no dns will it still work with just firewall rules? It just seems to me Im going to need a DNS server in there somewheres. I have to go out of town for a few hours now, so Ill try to figure this out more later.

--Sean
 
I'm actually helping seanx with this so i have a few other questions as well....

IS THIS CORRECT?
when the named service is started it looks up named.conf to start and it boots up

IN named.conf, you set up the name server script like this:

options {
directory "/etc/namedb/";
}
zone "." in {
type master;
file "localhost.rev";
};
This should be valid for all "zones" in our name server, which makes this the config file for everyone known on the network, correct?

Now in localhost.rev, this is where declare our specified domains so that if we wanted to type "lan" in the address bar we could point it at a specific ip, correct?

If that's correct we need to know how to set up localhost.rev to bind ALL dns requests to the same ip, can we do this with '@' ?
 
I got it working.
After I got bind running I just created a "." zone in "named.conf"
Code: 
options {
   directory "/etc/namedb/";
   recursion no;
};

zone "." in {        
	type master;        
	file "db.root";
};

and just edited my zone file "db.root" like this
Code: 
$TTL 3600
. IN SOA massivelan.com.  root.massivelan.com. (
		1 10800 3600 604800 86400 )      
	IN NS  massivelan.com.
massivelan 86400	IN	A	172.16.0.1
*.	86400	IN	A	172.16.0.1

Now all DNS queries are resolved to 172.16.0.1 and everything works fine and dandy.
 
how are you going to redirect ALL the web traffic to that page? even if you use squid or IPNAT or ipf to redirect all http requests to your apache server, it isnt going to pop up with the page for your LAN :confused:

you would have to have DNS entries as well as virtual hosts for every single webpage that peoples hompage would be set to (ie www.counter-strike.net or whatever...) thats not really possible is it?

You should search sourceforge.net and see if you can find some kind of proxy (or perhaps squid has a script addon) so that it automatically takes all requests and returns a certain page, ie your lan page
 
Im not sure, but it does work, because the "." zone I made is a root server. So now if I use my DNS server, say I went to google.com, it would come up as google.com.massivelan.com and be redirected to 172.16.0.1. Ive tested it, and it works for anything you put in there. I mean I cant really tell you specifics, because Im not exactly sure, but it works and thats all that I really care about.
 
hmm
well whatever!
post pics of your lan party in the lan party subforum in gaming!

I am formatting the pics for my lan party I had with 11 people at home, and writing a little story about it for posting soon!
 
how are you going to redirect ALL the web traffic to that page?
Click to expand...

By using this wildcard A record..

Code: 
*.	86400	IN	A	172.16.0.1

So any domain will end up pointing to 172.16.0.1.
 
This is a pretty intersting workaround for getting all web-based traffic to go to your designated intranet server. When I was first reading this my first thought was to setup a captive portal of some sort where they'd automatically be redirected to the registration page *No Matter What*. Sorta like they do with Wireless hotspots where you have to enter a credit card number before it'll grant you access.
 
Well I have noticed one problem. This redirection does not work unless the url has 'http://' in front of it. Ive looked around google for a while to see if I could find anything but I cant.

Anyone know why it does this? Or how I can set it up so it doesnt require the http://

--Sean
 
You must log in or register to reply here.
Back
Top