Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

document contains no data



----- Original Message ----- 
From: "Ron Peterson"


> First, the concept.  Hand out a fake gateway address to unregistered
> computers.  Said gateway uses iptables rules to reject all traffic
> except port 80.  Port 80 traffic gets DNAT'd to a host (same host as
> fake gateway, in example below) which replies to port 80 traffic with a
> redirect to the URL of a registration page.
[snip]
______________
> iptables setup
>
> THISIP="10.0.0.1"
> THISNET="10.0.0.0/8"
> REGWEBIP="10.0.0.1"
> REGWEBPORT="80"
> PUB="eth0"
> IPTABLES="/sbin/iptables"
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> $IPTABLES -F
> $IPTABLES -t nat -F
>
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD ACCEPT
>
> $IPTABLES -A OUTPUT --match state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
> $IPTABLES -A INPUT --match state --state ESTABLISHED,RELATED -j ACCEPT
>
> $IPTABLES -t nat -A PREROUTING -i $PUB -p tcp --dport 80 -j
> DNAT --to-destination $REGWEBIP:$REGWEBPORT
> $IPTABLES -t nat -A POSTROUTING -d $REGWEBIP -p tcp --dport $REGWEBPORT -s
> $THISNET -j SNAT --to-source $THISIP
>
> $IPTABLES -A INPUT -d 127.0.0.1 -i lo -j ACCEPT
> $IPTABLES -A INPUT -j REJECT --reject-with icmp-net-prohibited

[snip]

I'm not sure if this is the source of your problem, but I'll mention it just
in case:

The Policy (-P) options in your iptables set the default to "ACCEPT", so any
screening rules which don't specifically deny access will have no effect.
The DNAT will work (but see below), and your INPUT chain has a REJECT at the
end, but the OUTPUT chain won't screen anything, since it is set to ACCEPT
by default.

Also, I don't understand if you're DNATing traffic to the same or a
different machine. If to a different machine, note that there are no rules
in the FORWARD chain, but that nat is dependent on FORWARD. The INPUT and
OUTPUT chains don't affect forwarded traffic, so if you want to limit your
DNAT traffic to ESTABLISHED,RELATED, then you must put that rule in the FORW
ARD chain.

FWIW. YMMV.

Bill






BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org