Handling a clients fixed IP address

All of lore.kernel.org
 help / color / mirror / Atom feed

* Handling a clients fixed IP address
@ 2003-10-29 21:04 john zurowski
  2003-10-29 23:35 ` Herman
  0 siblings, 1 reply; 4+ messages in thread
From: john zurowski @ 2003-10-29 21:04 UTC (permalink / raw)
  To: netfilter

I've been using iptables without problems for almost a year now. A situation 
has however occured where I would like to allow access to users with fixed 
IP addresses onto the LAN in order to gain access to the internet. The 
situation is complicated because the client devices may be assigned fixed IP 
addresses which do not match our subnet or point at our gateway. Can 
iptables be configured in such a way that this could be handled 
transparently i.e. without the client having to set up dhcp client service?

_________________________________________________________________
Tired of 56k? Get a FREE BT Broadband connection 
http://www.msn.co.uk/specials/btbroadband

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Handling a clients fixed IP address
  2003-10-29 21:04 Handling a clients fixed IP address john zurowski
@ 2003-10-29 23:35 ` Herman
  2003-10-30 12:11   ` Ted Kaczmarek
  0 siblings, 1 reply; 4+ messages in thread
From: Herman @ 2003-10-29 23:35 UTC (permalink / raw)
  To: john zurowski, netfilter

On Wednesday 29 October 2003 9:04 pm, john zurowski wrote:
> I've been using iptables without problems for almost a year now. A
> situation has however occured where I would like to allow access to users
> with fixed IP addresses onto the LAN in order to gain access to the
> internet. The situation is complicated because the client devices may be
> assigned fixed IP addresses which do not match our subnet or point at our
> gateway. Can iptables be configured in such a way that this could be
> handled
> transparently i.e. without the client having to set up dhcp client service?
>
> _________________________________________________________________
> Tired of 56k? Get a FREE BT Broadband connection
> http://www.msn.co.uk/specials/btbroadband

Hmm, as I understand it:
A visitor plugs a 'foreign' laptop into the wall in your meeting room and 
starts a browser, then he expects to connect to say www.cnn.com without 
having to change *any* settings on his machine, which may be configured to 
talk to a non-existant gateway IP address.  

We hope that your guest IP and Gateway settings do not clash with an existing 
IP address on your network.  If you are concerned about clashes, then you 
would need either a dedicated interface or a virtual LAN interface to 
separate the meeting room from the rest of the place.

Well, this clearly calls for NAT, but it won't be simple.

I think you have to look at "-m state --state NEW, ESTABLISHED, RELATED" and 
"SNAT" to cause every new previously unknown connection attempt and whatever 
follows from that, to be redirected to the External IP on the firewall 
machine.

I think the simplest case would be if you use a dedicated interface or VLAN, 
say eth3 if it is dedicated hardware or eth1.1 if it is a VLAN and then SNAT 
whatever arrives on that interface to the outside IP address of the firewall.

Since the packets would be addressed to a non-existant gateway machine, you 
would need to do DNAT too.

I have a feeling that this problem can be solved with iptables and it would be 
interesting if one of the real iptables gurus can comment.

Cheers,
-- 
Herman

^ permalink raw reply	[flat|nested] 4+ messages in thread

* RE: Handling a clients fixed IP address
@ 2003-10-30  9:54 Fredrik Emil Jensen
  0 siblings, 0 replies; 4+ messages in thread
From: Fredrik Emil Jensen @ 2003-10-30  9:54 UTC (permalink / raw)
  To: Herman, john zurowski, netfilter

You may want to look at this,
http://www.securiteam.com/exploits/6F00B1561Q.html

IP spoofing, don't forget that you may also want to do proxy
spoofing/redirecting and smtp spoofing/redirecting. 

Products such as Birdstep, Nomadix, Zyxel VSG 1200 all ready do this for
you, typically a hotspot solutions, but expensive.     

/Fredrik

-----Original Message-----
From: Herman [mailto:Herman@AerospaceSoftware.com] 
Sent: 30. oktober 2003 00:36
To: john zurowski; netfilter@lists.netfilter.org
Subject: Re: Handling a clients fixed IP address

On Wednesday 29 October 2003 9:04 pm, john zurowski wrote:
> I've been using iptables without problems for almost a year now. A
> situation has however occured where I would like to allow access to
users
> with fixed IP addresses onto the LAN in order to gain access to the
> internet. The situation is complicated because the client devices may
be
> assigned fixed IP addresses which do not match our subnet or point at
our
> gateway. Can iptables be configured in such a way that this could be
> handled
> transparently i.e. without the client having to set up dhcp client
service?
>
> _________________________________________________________________
> Tired of 56k? Get a FREE BT Broadband connection
> http://www.msn.co.uk/specials/btbroadband

Hmm, as I understand it:
A visitor plugs a 'foreign' laptop into the wall in your meeting room
and 
starts a browser, then he expects to connect to say www.cnn.com without 
having to change *any* settings on his machine, which may be configured
to 
talk to a non-existant gateway IP address.  

We hope that your guest IP and Gateway settings do not clash with an
existing 
IP address on your network.  If you are concerned about clashes, then
you 
would need either a dedicated interface or a virtual LAN interface to 
separate the meeting room from the rest of the place.

Well, this clearly calls for NAT, but it won't be simple.

I think you have to look at "-m state --state NEW, ESTABLISHED, RELATED"
and 
"SNAT" to cause every new previously unknown connection attempt and
whatever 
follows from that, to be redirected to the External IP on the firewall 
machine.

I think the simplest case would be if you use a dedicated interface or
VLAN, 
say eth3 if it is dedicated hardware or eth1.1 if it is a VLAN and then
SNAT 
whatever arrives on that interface to the outside IP address of the
firewall.

Since the packets would be addressed to a non-existant gateway machine,
you 
would need to do DNAT too.

I have a feeling that this problem can be solved with iptables and it
would be 
interesting if one of the real iptables gurus can comment.

Cheers,
-- 
Herman

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Handling a clients fixed IP address
  2003-10-29 23:35 ` Herman
@ 2003-10-30 12:11   ` Ted Kaczmarek
  0 siblings, 0 replies; 4+ messages in thread
From: Ted Kaczmarek @ 2003-10-30 12:11 UTC (permalink / raw)
  To: Herman; +Cc: john zurowski, netfilter

I had the same issue for a consultants network.
But I used a dhcp range of  a /26 , default policies of ACCEPT, and
added rules to input and forward denying access from that /26 to any
internal networks.

For management purposed I insert a rule for a static ip as needed.

The same could be done with static ip's but I would make them
contiguous.
1 line rules are always nicer than multiple lines :-)

You could also slap a qdisc on the block as well so they don't eat up
too much bandwidth.

Ted

On Wed, 2003-10-29 at 18:35, Herman wrote:
> On Wednesday 29 October 2003 9:04 pm, john zurowski wrote:
> > I've been using iptables without problems for almost a year now. A
> > situation has however occured where I would like to allow access to users
> > with fixed IP addresses onto the LAN in order to gain access to the
> > internet. The situation is complicated because the client devices may be
> > assigned fixed IP addresses which do not match our subnet or point at our
> > gateway. Can iptables be configured in such a way that this could be
> > handled
> > transparently i.e. without the client having to set up dhcp client service?
> >
> > _________________________________________________________________
> > Tired of 56k? Get a FREE BT Broadband connection
> > http://www.msn.co.uk/specials/btbroadband
> 
> Hmm, as I understand it:
> A visitor plugs a 'foreign' laptop into the wall in your meeting room and 
> starts a browser, then he expects to connect to say www.cnn.com without 
> having to change *any* settings on his machine, which may be configured to 
> talk to a non-existant gateway IP address.  
> 
> We hope that your guest IP and Gateway settings do not clash with an existing 
> IP address on your network.  If you are concerned about clashes, then you 
> would need either a dedicated interface or a virtual LAN interface to 
> separate the meeting room from the rest of the place.
> 
> Well, this clearly calls for NAT, but it won't be simple.
> 
> I think you have to look at "-m state --state NEW, ESTABLISHED, RELATED" and 
> "SNAT" to cause every new previously unknown connection attempt and whatever 
> follows from that, to be redirected to the External IP on the firewall 
> machine.
> 
> I think the simplest case would be if you use a dedicated interface or VLAN, 
> say eth3 if it is dedicated hardware or eth1.1 if it is a VLAN and then SNAT 
> whatever arrives on that interface to the outside IP address of the firewall.
> 
> Since the packets would be addressed to a non-existant gateway machine, you 
> would need to do DNAT too.
> 
> I have a feeling that this problem can be solved with iptables and it would be 
> interesting if one of the real iptables gurus can comment.
> 
> Cheers,



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2003-10-30 12:11 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-10-29 21:04 Handling a clients fixed IP address john zurowski
2003-10-29 23:35 ` Herman
2003-10-30 12:11   ` Ted Kaczmarek
  -- strict thread matches above, loose matches on Subject: below --
2003-10-30  9:54 Fredrik Emil Jensen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.