Dynamic Nat rules

Dynamic Nat rules

[Bracey Summers]

I am new to iptables and need some guidance.  I have done a good bit
of reading over the past few days and have learned much.  With this
knowledge I have come up with a solution for my task, but am not
convinced that it is the most efficient approach.  I was hoping that I
could get some guidance from someone who is more knowledgeable.

My Setup:
Red Hat ES3
uname -r = 2.4.21-20.0.1.ELsmp
iptables -V = iptables v1.2.8
ip -V = ip utility, iproute2-ss010824

Dual NIC server
  eth1 - To Router (internet)
  eth0 - Internal public space IP range

The Task:
Block all traffic from the internal interface except port 80/443. 
Forward 80/443 to my web server which will have a rewrite rule.  The
user will then be shown a web page for authentication.  Once the user
is validated they will be granted outbound access for a specified time
period (on most ports).

For my test setup I did not have public IP space to play with so I
created a private network (192.168.0.0).  I then created the following
rule to get access to the external network.

MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to external_network

This is the part that I am not to sure about.

NAT - [One entry for each ip address]
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.2 -i eth0 --d 0/0
--dport 80,443 -j DNAT --to my_web_server
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.3 -i eth0 --d 0/0
--dport 80,443 -j DNAT --to my_web_server
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.4 -i eth0 --d 0/0
--dport 80,443 -j DNAT --to my_web_server
...

This rule should forward all internal web/ssl traffic to my web
server.  I tested a command that was a similar and it worked.

Now the problem –

If I had 500 internal IP addresses I would have to create a NAT for
each one of them.  Once the user authenticated I would have to remove
the NAT for that users IP for a specified time period.  Then I would
have to create a filter to allow outbound access to the ports that I
wanted to allow for that IP.  After their time has expired I would
have to add the NAT back and delete the filter rule.  This seems like
it would work, but it is a lot of management.  I tried to just make
one NAT to forward any internal IP address on port 80/443 to my web
server and that worked until the user authenticated.  Once the user
was authenticated I had no way of getting around the NAT rule for
80/443.  If I understand what I have been reading correctly the NAT
PREROUTING rule is evaluated first.  Therefore there is not way for me
to allow an ip address in my internal network range to bypass this
rule.

Any guidance is appreciated.

-- 
Bracey Summers

Re: Dynamic Nat rules

[Jorge Dávila]

My approach:

you can try:

MASQUERADE
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to external_network

NAT - [One entry for each ip address]
> iptables -t nat -A PREROUTING -p tcp -s $internal_network -i eth0 --d
0/0 --dport 80,443 -j DNAT --to my_web_server

and if you active squid in transparent proxy mode you can let to squid
manage the time to access at your web server with the acl's ...

let me know if my approach solves your problem
El mié, 19-01-2005 a las 08:49 -0600, Bracey Summers escribió:
> I am new to iptables and need some guidance.  I have done a good bit
> of reading over the past few days and have learned much.  With this
> knowledge I have come up with a solution for my task, but am not
> convinced that it is the most efficient approach.  I was hoping that I
> could get some guidance from someone who is more knowledgeable.
> 
> My Setup:
> Red Hat ES3
> uname -r = 2.4.21-20.0.1.ELsmp
> iptables -V = iptables v1.2.8
> ip -V = ip utility, iproute2-ss010824
> 
> Dual NIC server
>   eth1 - To Router (internet)
>   eth0 - Internal public space IP range
> 
> The Task:
> Block all traffic from the internal interface except port 80/443. 
> Forward 80/443 to my web server which will have a rewrite rule.  The
> user will then be shown a web page for authentication.  Once the user
> is validated they will be granted outbound access for a specified time
> period (on most ports).
> 
> For my test setup I did not have public IP space to play with so I
> created a private network (192.168.0.0).  I then created the following
> rule to get access to the external network.
> 
> MASQUERADE
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to external_network
> 
> This is the part that I am not to sure about.
> 
> NAT - [One entry for each ip address]
> iptables -t nat -A PREROUTING -p tcp -s 192.168.0.2 -i eth0 --d 0/0
> --dport 80,443 -j DNAT --to my_web_server
> iptables -t nat -A PREROUTING -p tcp -s 192.168.0.3 -i eth0 --d 0/0
> --dport 80,443 -j DNAT --to my_web_server
> iptables -t nat -A PREROUTING -p tcp -s 192.168.0.4 -i eth0 --d 0/0
> --dport 80,443 -j DNAT --to my_web_server
> ...
> 
> This rule should forward all internal web/ssl traffic to my web
> server.  I tested a command that was a similar and it worked.
> 
> Now the problem –
> 
> If I had 500 internal IP addresses I would have to create a NAT for
> each one of them.  Once the user authenticated I would have to remove
> the NAT for that users IP for a specified time period.  Then I would
> have to create a filter to allow outbound access to the ports that I
> wanted to allow for that IP.  After their time has expired I would
> have to add the NAT back and delete the filter rule.  This seems like
> it would work, but it is a lot of management.  I tried to just make
> one NAT to forward any internal IP address on port 80/443 to my web
> server and that worked until the user authenticated.  Once the user
> was authenticated I had no way of getting around the NAT rule for
> 80/443.  If I understand what I have been reading correctly the NAT
> PREROUTING rule is evaluated first.  Therefore there is not way for me
> to allow an ip address in my internal network range to bypass this
> rule.
> 
> Any guidance is appreciated.
> 
-- 
~=============================================~
Jorge Isaac Dávila López
-
Morales Bienes Raíces Co. Ltd.
Teléfono: (505) 2781816
Sitio web: http://www.nicaraguarealestate.com
~=============================================~

Re: Dynamic Nat rules

[Jason Opperisano]

On Wed, Jan 19, 2005 at 08:49:10AM -0600, Bracey Summers wrote:
> I am new to iptables and need some guidance.  I have done a good bit
> of reading over the past few days and have learned much.  With this
> knowledge I have come up with a solution for my task, but am not
> convinced that it is the most efficient approach.  I was hoping that I
> could get some guidance from someone who is more knowledgeable.
> 
> My Setup:
> Red Hat ES3
> uname -r = 2.4.21-20.0.1.ELsmp
> iptables -V = iptables v1.2.8
> ip -V = ip utility, iproute2-ss010824
> 
> Dual NIC server
>   eth1 - To Router (internet)
>   eth0 - Internal public space IP range
> 
> The Task:
> Block all traffic from the internal interface except port 80/443. 
> Forward 80/443 to my web server which will have a rewrite rule.  The
> user will then be shown a web page for authentication.  Once the user
> is validated they will be granted outbound access for a specified time
> period (on most ports).
> 
> For my test setup I did not have public IP space to play with so I
> created a private network (192.168.0.0).  I then created the following
> rule to get access to the external network.
> 
> MASQUERADE
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to external_network
> 
> This is the part that I am not to sure about.
> 
> NAT - [One entry for each ip address]
> iptables -t nat -A PREROUTING -p tcp -s 192.168.0.2 -i eth0 --d 0/0
> --dport 80,443 -j DNAT --to my_web_server
> iptables -t nat -A PREROUTING -p tcp -s 192.168.0.3 -i eth0 --d 0/0
> --dport 80,443 -j DNAT --to my_web_server
> iptables -t nat -A PREROUTING -p tcp -s 192.168.0.4 -i eth0 --d 0/0
> --dport 80,443 -j DNAT --to my_web_server
> ...
> 
> This rule should forward all internal web/ssl traffic to my web
> server.  I tested a command that was a similar and it worked.
> 
> Now the problem ???
> 
> If I had 500 internal IP addresses I would have to create a NAT for
> each one of them.  Once the user authenticated I would have to remove
> the NAT for that users IP for a specified time period.  Then I would
> have to create a filter to allow outbound access to the ports that I
> wanted to allow for that IP.  After their time has expired I would
> have to add the NAT back and delete the filter rule.  This seems like
> it would work, but it is a lot of management.  I tried to just make
> one NAT to forward any internal IP address on port 80/443 to my web
> server and that worked until the user authenticated.  Once the user
> was authenticated I had no way of getting around the NAT rule for
> 80/443.  If I understand what I have been reading correctly the NAT
> PREROUTING rule is evaluated first.  Therefore there is not way for me
> to allow an ip address in my internal network range to bypass this
> rule.
> 
> Any guidance is appreciated.

create a custom chain to hold the authenticated IP addresses which is
evaluated first in the nat PREROUTING chain, and have the DNAT rule as
the second rule; i.e.,

  iptables -t nat -N authips

  iptables -t nat -A PREROUTING -p tcp -m mport --dports 80,443 \
    -j authips
  iptables -t nat -A PREROUTING -p tcp -m mport --dports 80,443 \
    -j DNAT --to my_web_server

now--add and remove your rules in the authips chain.  i will not argue
that this is efficient, but it works just fine for relatively small
numbers of IPs (<512 IMHO).

--
"Mmmm...free goo."
	--The Simpsons