[LARTC] masquerade and mac problem

[LARTC] masquerade and mac problem

[Sorin Capra]

[-- Attachment #1: Type: text/plain, Size: 2367 bytes --]

Hello guys 
 
   I don't know if this thing has been posted before (if it was , please forgive me).
I have 7 computers at home and I want all of them to have access to the internet. In order to do that , I set up a linux router (2 network cards) as a usual router (eth0 : 82.77.69.75 - internet connection ; eth1 : 192.168.10.1 - local network) . The other computers have ips ranging from 192.168.10.2 to 192.168.10.8 . The linux router masquerades the other computers. The problem I have is that I want to do the masquerading based on mac AND the ip not only on the ip (so if I change the ip on a computer and use another ip from another computer which is down , the masquerading process shouldn't work)
   What I came up with is this : 
 
-------------------------
#!/bin/sh
ipt="/usr/sbin/iptables"
 
$ipt -F
$ipt -F -t nat
 
$ipt -t filter -N computer1 >/dev/null 2>&1
$ipt -t filter -N computer2 >/dev/null 2>&1
$ipt -t filter -N computer3 >/dev/null 2>&1
$ipt -t filter -N computer4 >/dev/null 2>&1
$ipt -t filter -N computer5 >/dev/null 2>&1

$ipt -A FORWARD -s 192.168.10.2 -j computer1
$ipt -A FORWARD -s 192.168.10.3 -j computer2
$ipt -A FORWARD -s 192.168.10.4 -j computer3
$ipt -A FORWARD -s 192.168.10.5 -j computer4
$ipt -A FORWARD -s 192.168.10.6 -j computer5

$ipt -A computer1 -m mac --mac-source 00:c0:df:f7:7c:3b -j ACCEPT
$ipt -A computer2 -m mac --mac-source 00:06:4f:0f:3b:c1 -j ACCEPT
$ipt -A computer3 -m mac --mac-source 00:0c:6e:90:39:6a -j ACCEPT
$ipt -A computer4 -m mac --mac-source 00:90:27:5f:5e:78 -j ACCEPT
$ipt -A computer5 -m mac --mac-source 00:90:27:9b:3c:a2 -j ACCEPT
 
$ipt -A POSTROUTING -t nat -s 192.168.10.2 -j MASQUERADE
$ipt -A POSTROUTING -t nat -s 192.168.10.3 -j MASQUERADE
$ipt -A POSTROUTING -t nat -s 192.168.10.4 -j MASQUERADE
$ipt -A POSTROUTING -t nat -s 192.168.10.5 -j MASQUERADE
$ipt -A POSTROUTING -t nat -s 192.168.10.6 -j MASQUERADE

#$ipt -P FORWARD DROP
--------------------
 
  If I uncomment the last line ("#$ipt -P FORWARD DROP") the router won't forward any packets. What am I doing wrong ? 
 
                                                                                  Thank you in advance,
                                                                                             Sorin

		
---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!

[-- Attachment #2: Type: text/html, Size: 3842 bytes --]

Re: [LARTC] masquerade and mac problem

[Tomasz Chilinski]

On Sat, 4 Sep 2004 05:19:39 -0700 (PDT), Sorin Capra wrote 
> $ipt -t filter -N computer1 >/dev/null 2>&1 
> $ipt -t filter -N computer2 >/dev/null 2>&1 
> $ipt -t filter -N  computer3 >/dev/null 2>&1 
> $ipt -t filter -N computer4 >/dev/null 2>&1 
> $ipt -t filter -N computer5 >/dev/null 2>&1 
> 
> $ipt -A FORWARD -s 192.168.10.2 -j computer1 
> $ipt -A FORWARD -s 192.168.10.3 -j computer2 
> $ipt -A FORWARD -s 192.168.10.4 -j computer3 
> $ipt -A FORWARD -s 192.168.10.5 -j computer4 
> $ipt -A FORWARD -s 192.168.10.6 -j computer5 
> 
> $ipt -A computer1 -m mac --mac-source 00:c0:df:f7:7c:3b -j ACCEPT 
> $ipt -A computer2 -m mac --mac-source 00:06:4f:0f:3b:c1 -j ACCEPT 
> $ipt -A computer3 -m mac --mac-source 00:0c:6e:90:39:6a -j ACCEPT 
> $ipt -A computer4 -m mac --mac-source 00:90:27:5f:5e:78 -j ACCEPT 
> $ipt -A computer5 -m mac --mac-source 00:90:27:9b:3c:a2 -j ACCEPT 
>   
> $ipt -A POSTROUTING -t nat -s 192.168.10.2 -j MASQUERADE 
> $ipt -A POSTROUTING -t nat -s 192.168.10.3 -j MASQUERADE 
> $ipt -A POSTROUTING -t nat -s 192.168.10.4 -j MASQUERADE 
> $ipt -A POSTROUTING -t nat -s 192.168.10.5 -j MASQUERADE 
> $ipt -A POSTROUTING -t nat -s 192.168.10.6 -j MASQUERADE 
> 
> #$ipt -P FORWARD DROP 
> --------------------

Use mac source match in chain PREROUTING of nat table. Additionalny tests will be
working for first packets of connections (less load).

>Thank you in advance, 
>Sorin

Bests,
Tomasz Chilinski

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] masquerade and mac problem

[Tomasz Chilinski]

On Sat, 4 Sep 2004 08:21:21 -0700 (PDT), Sorin Capra wrote 
>    Thank you for the quick reply 
>    
>    It works now , but I still have one question : why didn't it work before
(in FORWARD) ? It should have worked , shouldn't it ? 

1) Have you tried to do:
iptables -t filter -L -nv
and check if counters are non-zero for rules with mac source matches?
2) In kernel source I have found something like this
(net/ipv4/netfilter/ipt_mac.c file):
static int
ipt_mac_checkentry(const char *tablename,
                   const struct ipt_ip *ip,
                   void *matchinfo,
                   unsigned int matchsize,
                   unsigned int hook_mask)
{
        /* FORWARD isn't always valid, but it's nice to be able to do --RR */
        if (hook_mask
            & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_IN)
                | (1 << NF_IP_FORWARD))) {
                printk("ipt_mac: only valid for PRE_ROUTING, LOCAL_IN or
FORWARD.\n");
                return 0;
        }

        if (matchsize != IPT_ALIGN(sizeof(struct ipt_mac_info)))
                return 0;

        return 1;
}

Maybe during traversing filter/FORWARD hook mac field in skb structure is not
valid, because packet is beeing forwarded between two ifaces.

> Bests,                                                                     
            
> Sorin 

Bests, 
Tomasz Chilinski 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] masquerade and mac problem

[Ilia Lindov]

Hi,

I recommend you to use the following script:
------------------------------------------------
#!/bin/sh

# Deleting all existing rules in all chains
# and theleting user created chains
iptables -t nat -F
iptables -t filter -F
iptables -t mangle -F
iptables -t nat -X
iptables -t filter -X
iptables -t mangle -X

# Setting the default policy to DROP, so those packets which are not
# ACCEPT-ed are dropped at the end
iptables -P FORWARD DROP

# Masquerading
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Allowing outgoing packets from specific users with correct mac
# addresses.
# Add same line for each client with proper ip and mac addresses
iptables -A FORWARD -s 192.168.10.2 -m mac --mac-source\ 
00:11:22:33:44:55 -j ACCEPT

# Allowing all incomming packets which belongs to a clients
# connection
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-----------------------------------------------------------------------

You should consider the INPUT and OUTPUT chains on your router, and to 
set them proper rules regarding your needs.
Also you'll need connection tracking support from the kernel.
The 'ip_conntrack' and similar modules will be useful if you don't have 
connection tracking support compilled into the kernel itself.

I hope this will help!!!

Regards: Ilia Lindov

Sorin Capra wrote:
> Hello guys
>  
>    I don't know if this thing has been posted before (if it was , please 
> forgive me).
> I have 7 computers at home and I want all of them to have access to the 
> internet. In order to do that , I set up a linux router (2 network 
> cards) as a usual router (eth0 : 82.77.69.75 - internet connection ; 
> eth1 : 192.168.10.1 - local network) . The other computers have ips 
> ranging from 192.168.10.2 to 192.168.10.8 . The linux router masquerades 
> the other computers. The problem I have is that I want to do the 
> masquerading based on mac AND the ip not only on the ip (so if I change 
> the ip on a computer and use another ip from another computer which is 
> down , the masquerading process shouldn't work)
>    What I came up with is this :
>  
> -------------------------
> #!/bin/sh
> ipt="/usr/sbin/iptables"
>  
> $ipt -F
> $ipt -F -t nat
>  
> $ipt -t filter -N computer1 >/dev/null 2>&1
> $ipt -t filter -N computer2 >/dev/null 2>&1
> $ipt -t filter -N computer3 >/dev/null 2>&1
> $ipt -t filter -N computer4 >/dev/null 2>&1
> $ipt -t filter -N computer5 >/dev/null 2>&1
> $ipt -A FORWARD -s 192.168.10.2 -j computer1
> $ipt -A FORWARD -s 192.168.10.3 -j computer2
> $ipt -A FORWARD -s 192.168.10.4 -j computer3
> $ipt -A FORWARD -s 192.168.10.5 -j computer4
> $ipt -A FORWARD -s 192.168.10.6 -j computer5
> $ipt -A computer1 -m mac --mac-source 00:c0:df:f7:7c:3b -j ACCEPT
> $ipt -A computer2 -m mac --mac-source 00:06:4f:0f:3b:c1 -j ACCEPT
> $ipt -A computer3 -m mac --mac-source 00:0c:6e:90:39:6a -j ACCEPT
> $ipt -A computer4 -m mac --mac-source 00:90:27:5f:5e:78 -j ACCEPT
> $ipt -A computer5 -m mac --mac-source 00:90:27:9b:3c:a2 -j ACCEPT
>  
> $ipt -A POSTROUTING -t nat -s 192.168.10.2 -j MASQUERADE
> $ipt -A POSTROUTING -t nat -s 192.168.10.3 -j MASQUERADE
> $ipt -A POSTROUTING -t nat -s 192.168.10.4 -j MASQUERADE
> $ipt -A POSTROUTING -t nat -s 192.168.10.5 -j MASQUERADE
> $ipt -A POSTROUTING -t nat -s 192.168.10.6 -j MASQUERADE
> 
> #$ipt -P FORWARD DROP
> --------------------
>  
>   If I uncomment the last line ("#$ipt -P FORWARD DROP") the router 
> won't forward any packets. What am I doing wrong ? 
>  
>                                                                                   Thank 
> you in advance,
>                                                                                              
> Sorin
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/