document contains no data

Bill Horne bill at horne.net
Sat Aug 16 09:40:41 EDT 2003 

----- Original Message ----- 
From: "Ron Peterson"


> First, the concept.  Hand out a fake gateway address to unregistered
> computers.  Said gateway uses iptables rules to reject all traffic
> except port 80.  Port 80 traffic gets DNAT'd to a host (same host as
> fake gateway, in example below) which replies to port 80 traffic with a
> redirect to the URL of a registration page.
[snip]
______________
> iptables setup
>
> THISIP="10.0.0.1"
> THISNET="10.0.0.0/8"
> REGWEBIP="10.0.0.1"
> REGWEBPORT="80"
> PUB="eth0"
> IPTABLES="/sbin/iptables"
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> $IPTABLES -F
> $IPTABLES -t nat -F
>
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD ACCEPT
>
> $IPTABLES -A OUTPUT --match state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
> $IPTABLES -A INPUT --match state --state ESTABLISHED,RELATED -j ACCEPT
>
> $IPTABLES -t nat -A PREROUTING -i $PUB -p tcp --dport 80 -j
> DNAT --to-destination $REGWEBIP:$REGWEBPORT
> $IPTABLES -t nat -A POSTROUTING -d $REGWEBIP -p tcp --dport $REGWEBPORT -s
> $THISNET -j SNAT --to-source $THISIP
>
> $IPTABLES -A INPUT -d 127.0.0.1 -i lo -j ACCEPT
> $IPTABLES -A INPUT -j REJECT --reject-with icmp-net-prohibited

[snip]

I'm not sure if this is the source of your problem, but I'll mention it just
in case:

The Policy (-P) options in your iptables set the default to "ACCEPT", so any
screening rules which don't specifically deny access will have no effect.
The DNAT will work (but see below), and your INPUT chain has a REJECT at the
end, but the OUTPUT chain won't screen anything, since it is set to ACCEPT
by default.

Also, I don't understand if you're DNATing traffic to the same or a
different machine. If to a different machine, note that there are no rules
in the FORWARD chain, but that nat is dependent on FORWARD. The INPUT and
OUTPUT chains don't affect forwarded traffic, so if you want to limit your
DNAT traffic to ESTABLISHED,RELATED, then you must put that rule in the FORW
ARD chain.

FWIW. YMMV.

Bill

More information about the Discuss mailing list