Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
----- Original Message ----- From: "Ron Peterson" > First, the concept. Hand out a fake gateway address to unregistered > computers. Said gateway uses iptables rules to reject all traffic > except port 80. Port 80 traffic gets DNAT'd to a host (same host as > fake gateway, in example below) which replies to port 80 traffic with a > redirect to the URL of a registration page. [snip] ______________ > iptables setup > > THISIP="10.0.0.1" > THISNET="10.0.0.0/8" > REGWEBIP="10.0.0.1" > REGWEBPORT="80" > PUB="eth0" > IPTABLES="/sbin/iptables" > echo "1" > /proc/sys/net/ipv4/ip_forward > > $IPTABLES -F > $IPTABLES -t nat -F > > $IPTABLES -P INPUT ACCEPT > $IPTABLES -P OUTPUT ACCEPT > $IPTABLES -P FORWARD ACCEPT > > $IPTABLES -A OUTPUT --match state --state NEW,ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A INPUT --match state --state ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -t nat -A PREROUTING -i $PUB -p tcp --dport 80 -j > DNAT --to-destination $REGWEBIP:$REGWEBPORT > $IPTABLES -t nat -A POSTROUTING -d $REGWEBIP -p tcp --dport $REGWEBPORT -s > $THISNET -j SNAT --to-source $THISIP > > $IPTABLES -A INPUT -d 127.0.0.1 -i lo -j ACCEPT > $IPTABLES -A INPUT -j REJECT --reject-with icmp-net-prohibited [snip] I'm not sure if this is the source of your problem, but I'll mention it just in case: The Policy (-P) options in your iptables set the default to "ACCEPT", so any screening rules which don't specifically deny access will have no effect. The DNAT will work (but see below), and your INPUT chain has a REJECT at the end, but the OUTPUT chain won't screen anything, since it is set to ACCEPT by default. Also, I don't understand if you're DNATing traffic to the same or a different machine. If to a different machine, note that there are no rules in the FORWARD chain, but that nat is dependent on FORWARD. The INPUT and OUTPUT chains don't affect forwarded traffic, so if you want to limit your DNAT traffic to ESTABLISHED,RELATED, then you must put that rule in the FORW ARD chain. FWIW. YMMV. Bill
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |