I''m working on getting my firewall machine to display a message to my users any time they wander off of the OK''d list. The problem is when I have the line at the bottom labeled the problem line, it redirects all port 80 requests to the local machine without allowing the ones on the OK''d list out. When that line is commented out the script works perfectly. When a user types in amazon.com, they get amazon.com, when they type in hotsheep.com thier browser times out. Anyone have any ideas how I can just redirect the traffic that falls outside the wall to go back to the local webserver to recieve a proper error message? I know the problem lies in the use of DNAT in PREROUTING happening before the denial items, but I couldn''t find a postrouting way to do it... experts help! :) Basically What I''ve got is: eth0 is the internet exposed side, eth1 is the internal (10.0.0.1) (Public IP''s blocked over) iptables -F iptables -F -t nat iptables -X iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -d localhost -j ACCEPT iptables -A FORWARD -d 10.0.0.1 -j ACCEPT #ENABLE EVERYONE ACCESS TO THE DNS SERVER iptables -t nat -A POSTROUTING -o eth0 -d 209.XXX.XXX.XXX -j MASQUERADE iptables -A FORWARD -d 209.XXX.XXX.XXX -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -s 209.XXX.XXX.XXX -j MASQUERADE iptables -A FORWARD -s 209.XXX.XXX.XXX -j ACCEPT #ENABLE EVERYONE ACCESS TO THE INTERNAL SIDE OF THIS MACHINE iptables -t nat -A POSTROUTING -o eth1 -d 10.0.01 -j MASQUERADE iptables -A FORWARD -d 10.0.01 -j ACCEPT iptables -t nat -A POSTROUTING -o eth1 -s 10.0.01 -j MASQUERADE iptables -A FORWARD -s 10.0.01 -j ACCEPT #ENABLE ACCESS TO amazon.com iptables -t nat -A POSTROUTING -o eth0 -d amazon.com -j MASQUERADE iptables -A FORWARD -d amazon.com -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -s amazon.com -j MASQUERADE iptables -A FORWARD -s amazon.com -j ACCEPT #END OF ENABLE ACCESS TO amazon.com #IF THEY STEP OUT OF THE WALL AND THEY''RE BROWSING, REDIRECT THEM TO THE LOCAL #THAT HAS ONLY A 404 ERROR SET TO DISPLAY A PAGE THAT SAYS THEY CAN ONLY GET TO AMAZON #THIS IS THE PROBLEM LINE iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1 #THIS IS THE PROBLEM LINE iptables -A INPUT -j ACCEPT iptables -A OUTPUT -j ACCEPT iptables -A FORWARD -j DROP Thanks in advance! -David Talbot
On Tue, Jun 05, 2001 at 08:09:41AM -0500, David Talbot wrote:> #THIS IS THE PROBLEM LINE > iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1 > #THIS IS THE PROBLEM LINEI tried this on my 2.4.5 box, and it works just fine -- as long as the --to <address> isn''t the same box I''m attempting to connect from. IOW, as long as the webserver isn''t on the same box I''m attempting to browse outside the firewall with. When I tried to DNAT to the same box I was running lynx on, I just got a timeout. When I switched to DNAT to a different box, all requests went there properly. -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [rogue.enfusion-group.com] up 28 days, 22:07, 2 users
I tried what you suggested (Changing the destination to a different box) and it still does it to all the requests. The goal of the firewall setting is to allow access only to a few specific sites (in the case of the example provided amazon.com should be the only URL the users can get to) and all other sites should go to an internal webserver to tell them that they can''t get to the site they''re trying to go to. Does this make sense? Is there any way to do the DNAT only when it''s not on the access list? (It''s actually more like 100 sites I want the users to have access to, I narrowed down the script a bit for the example). Any ideas? This one has been killing me for awhile... I know it''s possible because I''ve seen networks that behave like this. Help me out with this and you''ll be my hero! -David Talbot -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On Behalf Of Adrian Chung Sent: Tuesday, June 05, 2001 9:56 AM To: David Talbot Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Redirecting wayward traffic On Tue, Jun 05, 2001 at 08:09:41AM -0500, David Talbot wrote:> #THIS IS THE PROBLEM LINE > iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1 > #THIS IS THE PROBLEM LINEI tried this on my 2.4.5 box, and it works just fine -- as long as the --to <address> isn''t the same box I''m attempting to connect from. IOW, as long as the webserver isn''t on the same box I''m attempting to browse outside the firewall with. When I tried to DNAT to the same box I was running lynx on, I just got a timeout. When I switched to DNAT to a different box, all requests went there properly. -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [rogue.enfusion-group.com] up 28 days, 22:07, 2 users _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/
David Talbot wrote:> > I tried what you suggested (Changing the destination to a different box) and > it still does it to all the requests. > > The goal of the firewall setting is to allow access only to a few specific > sites (in the case of the example provided amazon.com should be the only URL > the users can get to) and all other sites should go to an internal webserver > to tell them that they can''t get to the site they''re trying to go to. Does > this make sense? Is there any way to do the DNAT only when it''s not on the > access list? (It''s actually more like 100 sites I want the users to have > access to, I narrowed down the script a bit for the example). > > Any ideas? This one has been killing me for awhile... I know it''s possible > because I''ve seen networks that behave like this.What about denying the direct access completely and use Squid as a transparent proxy. Then you don''t need a seperate web server for the error page because Squid can generate customized error messages itself. And you can work not only based on IP addresses but also with regex for the URLs that you want to deny (or allow - it''s up to you). Juri
On Tue, Jun 05, 2001 at 08:09:41AM -0500, David Talbot wrote:> #THIS IS THE PROBLEM LINE > iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1 > #THIS IS THE PROBLEM LINEI think I know what the problem is. Before that though, Juri is right in saying that this is more easily and effectively achieved using Squid, but, that being said... You''re trying to do DNAT onto the same network. You change the destination IP of the packets back onto the local network, but when they hit 10.0.0.1 they look like they came from the external IP of your router, and so they get dropped. Look at: http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-10.html Try adding: iptables -t nat -A POSTROUTING -p tcp -s <yourLAN> -d 10.0.0.1 --dport 80 -j SNAT --to <NATboxIP> It worked for me, but I had to do some other fiddling because I''m also doing policy based (source) routing, and so my setup might not quite be the same as yours, but it''s worth a try. If you use tcpdump, you should see packets hitting 10.0.0.1 from a non-LAN IP. -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [rogue.enfusion-group.com] up 28 days, 23:15, 3 users
I may just do that (god knows it would make the walling process easier to be able to use reg exps), but before I do let me explain the overall problem. If I do the transparent proxy I would want it done to all addresses except the ones on my explicit list. For example: I want 10.0.1.1 and 10.1.250.1 to have full unrestricted access to the internet including FTP, Kazaa, etc. All other IPS I want to only be able to use port 80 (web) through the transparent proxy. The proxy I would configure to use the walled ACLs so all these people have access to is amazon.com. Is that possible? With the transparent proxy iptables settings I''ve seen so far the transparent proxy applies to everyone when it is done. How can I make it so people on my unfettered access list don''t get piped through the proxy? -David Talbot -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On Behalf Of Juri Haberland Sent: Tuesday, June 05, 2001 10:48 AM To: dtalbot@reallinx.com Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Redirecting wayward traffic David Talbot wrote:> > I tried what you suggested (Changing the destination to a different box)and> it still does it to all the requests. > > The goal of the firewall setting is to allow access only to a few specific > sites (in the case of the example provided amazon.com should be the onlyURL> the users can get to) and all other sites should go to an internalwebserver> to tell them that they can''t get to the site they''re trying to go to. Does > this make sense? Is there any way to do the DNAT only when it''s not on the > access list? (It''s actually more like 100 sites I want the users to have > access to, I narrowed down the script a bit for the example). > > Any ideas? This one has been killing me for awhile... I know it''s possible > because I''ve seen networks that behave like this.What about denying the direct access completely and use Squid as a transparent proxy. Then you don''t need a seperate web server for the error page because Squid can generate customized error messages itself. And you can work not only based on IP addresses but also with regex for the URLs that you want to deny (or allow - it''s up to you). Juri _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/
On Tue, Jun 05, 2001 at 11:20:30AM -0500, David Talbot wrote:> I want 10.0.1.1 and 10.1.250.1 to have full unrestricted access to the > internet including FTP, Kazaa, etc. > All other IPS I want to only be able to use port 80 (web) through the > transparent proxy. The proxy I would configure to use the walled ACLs so all > these people have access to is amazon.com. > > Is that possible? With the transparent proxy iptables settings I''ve seen so > far the transparent proxy applies to everyone when it is done. How can I > make it so people on my unfettered access list don''t get piped through the > proxy?You can do this by transparent proxying the entire 10.0.0.0 network, then inserting rules above this for the special cases, that just ''ACCEPTS'' them: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -I PREROUTING -i eth0 -p tcp -s 10.0.1.1 -j ACCEPT iptables -t nat -I PREROUTING -i eth0 -p tcp -s 10.1.250.1 -j ACCEPT This is assuming the proxy server is on the NAT box, if not, you''ll have to adjust the first rule. This will allow traffic from 10.0.1.1 and 10.1.250.1 straight through, and transparently proxy everything else. -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [rogue.enfusion-group.com] up 28 days, 23:48, 3 users
David Talbot wrote:> > I may just do that (god knows it would make the walling process easier to be > able to use reg exps), but before I do let me explain the overall problem. > > If I do the transparent proxy I would want it done to all addresses except > the ones on my explicit list. For example: > > I want 10.0.1.1 and 10.1.250.1 to have full unrestricted access to the > internet including FTP, Kazaa, etc. > All other IPS I want to only be able to use port 80 (web) through the > transparent proxy. The proxy I would configure to use the walled ACLs so all > these people have access to is amazon.com. > > Is that possible? With the transparent proxy iptables settings I''ve seen so > far the transparent proxy applies to everyone when it is done. How can I > make it so people on my unfettered access list don''t get piped through the > proxy?Sure, should be no problem using iptables: First allow 10.0.1.1 and 10.1.250.1 access to the required services (www, ftp) and then use a rule that redirects all traffic to port 80 to your proxy. After that put a rule that denies everything. So your other clients can only access port 80 via the proxy and nothing more whereas those special clients have full access without going via the proxy. That should be it (or have I overlooked something?). Juri
Just to keep google fed with good information I''ll summerize what worked: You were dead on with the way to redirect the ports to only transparent proxy specific ip addresses , and dead on that I should use squid to do the actual proxying instead of putting it all through iptables. The start up time for my script before (WHen it was all iptables) was areound a minute, now between restarting squid and re-applying the iptables it''s less than a second! The last thing that I had to do to bring all this together to make it work (Thanks Thomas Veldhouse) was make some minor modifications to my squid configuration to get it to accept iptables based port redirection as a transparent squid proxy: httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Thank you all you gurus of network infrastructure, it took 4 sepearate points of view, but it came together :) -David Talbot -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On Behalf Of Adrian Chung Sent: Tuesday, June 05, 2001 11:40 AM To: David Talbot Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Redirecting wayward traffic On Tue, Jun 05, 2001 at 11:20:30AM -0500, David Talbot wrote:> I want 10.0.1.1 and 10.1.250.1 to have full unrestricted access to the > internet including FTP, Kazaa, etc. > All other IPS I want to only be able to use port 80 (web) through the > transparent proxy. The proxy I would configure to use the walled ACLs soall> these people have access to is amazon.com. > > Is that possible? With the transparent proxy iptables settings I''ve seenso> far the transparent proxy applies to everyone when it is done. How can I > make it so people on my unfettered access list don''t get piped through the > proxy?You can do this by transparent proxying the entire 10.0.0.0 network, then inserting rules above this for the special cases, that just ''ACCEPTS'' them: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -I PREROUTING -i eth0 -p tcp -s 10.0.1.1 -j ACCEPT iptables -t nat -I PREROUTING -i eth0 -p tcp -s 10.1.250.1 -j ACCEPT This is assuming the proxy server is on the NAT box, if not, you''ll have to adjust the first rule. This will allow traffic from 10.0.1.1 and 10.1.250.1 straight through, and transparently proxy everything else. -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [rogue.enfusion-group.com] up 28 days, 23:48, 3 users _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/