Can iptables do this?

Can iptables do this?

[Wei Ming Long]

Hi Everyone,
I have posted this question before but got no response, so I'm posting it
again, please pardon me if you have seen this before.
I have a wireless network with my linux machine as a gateway between the
internet & my internal wireless network. I have iptables running on the
gateway & also a dhcp server to serve out ip addresses to the client laptops.
I also run the Squid proxy server on the gateway to proxy http requests. I use
iptables to redirect http traffic to Squid and to do nat for the internal
network.
My question is this: what if a laptop with a preconfigured static ip address
comes into the internal network or worse, 2 client laptops with identical
preconfigured static ip addresses enter into network, can iptables do nat
based on mac address <--> public ip address mapping besides the usual private
ip address <--> public ip address mapping?

Please help. Thanks.

Best regards
Matthew

Re: Can iptables do this?

[J Webb]

That is more of a Mobile-IP type issue. A laptop with any old ip address 
will not be able to talk to the rest of your network (or gateway) 
properly unless it has an IP on that network. ARP, among other things, 
will be completely broken. The laptops with the pre-configured static 
IP's would have to set themselves to use your internal gateway, and 
unless they are in the same network, they will have no route to that, or 
any other, host. I believe IPTables can't help you here.

- Jon

Wei Ming Long wrote:

>Hi Everyone,
>I have posted this question before but got no response, so I'm posting it
>again, please pardon me if you have seen this before.
>I have a wireless network with my linux machine as a gateway between the
>internet & my internal wireless network. I have iptables running on the
>gateway & also a dhcp server to serve out ip addresses to the client laptops.
>I also run the Squid proxy server on the gateway to proxy http requests. I use
>iptables to redirect http traffic to Squid and to do nat for the internal
>network.
>My question is this: what if a laptop with a preconfigured static ip address
>comes into the internal network or worse, 2 client laptops with identical
>preconfigured static ip addresses enter into network, can iptables do nat
>based on mac address <--> public ip address mapping besides the usual private
>ip address <--> public ip address mapping?
>
>Please help. Thanks.
>
>Best regards
>Matthew
>
>  
>

Re: public ip on LAN

[Amit Pasari]

Thanks John,
Let me explain
on My LAN i have ip address - 172.16.1.1
subnet - 255.255.0.0
on My WAN i have ipaddress - 203.122.51.178
subnet - 255.255.255.240

Now , my clients want to have public / Live ip instead of private ips which 
i am giving as  many of my clients uses webserver , and other applications 
which people from outside world needs to access .
I can redirect  ports for one clients but how about 10 clients wanting the 
same .
So i need to give them a public ip so that all the traffic can be 
redirected their ip .


Regards
Amit

At 09:54 PM 1/2/04, you wrote:
>On Fri, 2004-01-02 at 11:30, Amit Pasari wrote:
> > Hello,
> > I am using Redhat 8.0 with iptables to provide my client internet services
> > . Everything is going well .
> > i have been giving private ips of 172.16.0.0 series to my clients .
> > But now some of my clients need public ips . i do have many public ips 
> with
> > me .so can somebody tell how can i give public ips to my clients .
> >
> > Thanks & Regards
> > Amit
> > Orangeinfoways.com
>
>Could you please clarify what you mean by giving ips to your clients?
>Thanks - John
>--
>John A. Sullivan III
>Chief Technology Officer
>Nexus Management
>+1 207-985-7880
>john.sullivan@nexusmgmt.com
>---
>If you are interested in helping to develop a GPL enterprise class
>VPN/Firewall/Security device management console, please visit
>http://iscs.sourceforge.net

Re: public ip on LAN

[Fabien LE BLEVEC]

In the PREROUTING chain, you said for example :

iptables -A PREROUTING -s 203.122.51.179 -j DNAT --to 172.16.1.2
iptables -A PREROUTING -s 203.122.51.180 -j DNAT --to 172.16.1.3
....
or more accurate :
iptables -A PREROUTING -s 203.122.51.181 -p tcp --dport 80 -j DNAT --to 
172.16.1.4
...

I think it should  be correct for your configuration.

Don't forget to authorize the traffic in the FORWARD chain .


Fabien


Amit Pasari a écrit :

> Thanks John,
> Let me explain
> on My LAN i have ip address - 172.16.1.1
> subnet - 255.255.0.0
> on My WAN i have ipaddress - 203.122.51.178
> subnet - 255.255.255.240
>
> Now , my clients want to have public / Live ip instead of private ips 
> which i am giving as  many of my clients uses webserver , and other 
> applications which people from outside world needs to access .
> I can redirect  ports for one clients but how about 10 clients wanting 
> the same .
> So i need to give them a public ip so that all the traffic can be 
> redirected their ip .
>
>
> Regards
> Amit
>
> At 09:54 PM 1/2/04, you wrote:
>
>> On Fri, 2004-01-02 at 11:30, Amit Pasari wrote:
>> > Hello,
>> > I am using Redhat 8.0 with iptables to provide my client internet 
>> services
>> > . Everything is going well .
>> > i have been giving private ips of 172.16.0.0 series to my clients .
>> > But now some of my clients need public ips . i do have many public 
>> ips with
>> > me .so can somebody tell how can i give public ips to my clients .
>> >
>> > Thanks & Regards
>> > Amit
>> > Orangeinfoways.com
>>
>> Could you please clarify what you mean by giving ips to your clients?
>> Thanks - John
>> -- 
>> John A. Sullivan III
>> Chief Technology Officer
>> Nexus Management
>> +1 207-985-7880
>> john.sullivan@nexusmgmt.com
>> ---
>> If you are interested in helping to develop a GPL enterprise class
>> VPN/Firewall/Security device management console, please visit
>> http://iscs.sourceforge.net
>
>
>
>
>

Re: public ip on LAN

[Craig Steadman]

The issue with redirecting web traffic using DNAT is that if
any of the web pages have absolute links then they fail to
work for clients connecting from the internet.
Does anyone know of an apache module that can be configured to
parse and change the anchors in a html page on the fly, for this
scenario ?

Craig.

On Sat, 2004-01-03 at 01:27, Fabien LE BLEVEC wrote:
> In the PREROUTING chain, you said for example :
> 
> iptables -A PREROUTING -s 203.122.51.179 -j DNAT --to 172.16.1.2
> iptables -A PREROUTING -s 203.122.51.180 -j DNAT --to 172.16.1.3
> ....
> or more accurate :
> iptables -A PREROUTING -s 203.122.51.181 -p tcp --dport 80 -j DNAT --to 
> 172.16.1.4
> ...
> 
> I think it should  be correct for your configuration.
> 
> Don't forget to authorize the traffic in the FORWARD chain .
> 
> 
> Fabien
> 
> 
> Amit Pasari a écrit :
> 
> > Thanks John,
> > Let me explain
> > on My LAN i have ip address - 172.16.1.1
> > subnet - 255.255.0.0
> > on My WAN i have ipaddress - 203.122.51.178
> > subnet - 255.255.255.240
> >
> > Now , my clients want to have public / Live ip instead of private ips 
> > which i am giving as  many of my clients uses webserver , and other 
> > applications which people from outside world needs to access .
> > I can redirect  ports for one clients but how about 10 clients wanting 
> > the same .
> > So i need to give them a public ip so that all the traffic can be 
> > redirected their ip .
> >
> >
> > Regards
> > Amit
> >
> > At 09:54 PM 1/2/04, you wrote:
> >
> >> On Fri, 2004-01-02 at 11:30, Amit Pasari wrote:
> >> > Hello,
> >> > I am using Redhat 8.0 with iptables to provide my client internet 
> >> services
> >> > . Everything is going well .
> >> > i have been giving private ips of 172.16.0.0 series to my clients .
> >> > But now some of my clients need public ips . i do have many public 
> >> ips with
> >> > me .so can somebody tell how can i give public ips to my clients .
> >> >
> >> > Thanks & Regards
> >> > Amit
> >> > Orangeinfoways.com
> >>
> >> Could you please clarify what you mean by giving ips to your clients?
> >> Thanks - John
> >> -- 
> >> John A. Sullivan III
> >> Chief Technology Officer
> >> Nexus Management
> >> +1 207-985-7880
> >> john.sullivan@nexusmgmt.com
> >> ---
> >> If you are interested in helping to develop a GPL enterprise class
> >> VPN/Firewall/Security device management console, please visit
> >> http://iscs.sourceforge.net
> >
> >
> >
> >
> >
> 
> 
> 

Re: public ip on LAN

[Michael Gale]

Hello,

	Can you provide an example ? We have a web serve behind the firewall. I am not sure what type of links our web master is using. But we have not had any problems.

We have links to other web servers that our out side of our network on the web site that work.

Michael.



On Sat, 03 Jan 2004 02:30:32 +0800
Craig Steadman <spinout@yakbox.shacknet.nu> wrote:

> The issue with redirecting web traffic using DNAT is that if
> any of the web pages have absolute links then they fail to
> work for clients connecting from the internet.
> Does anyone know of an apache module that can be configured to
> parse and change the anchors in a html page on the fly, for this
> scenario ?
> 
> Craig.
> 
> On Sat, 2004-01-03 at 01:27, Fabien LE BLEVEC wrote:
> > In the PREROUTING chain, you said for example :
> > 
> > iptables -A PREROUTING -s 203.122.51.179 -j DNAT --to 172.16.1.2
> > iptables -A PREROUTING -s 203.122.51.180 -j DNAT --to 172.16.1.3
> > ....
> > or more accurate :
> > iptables -A PREROUTING -s 203.122.51.181 -p tcp --dport 80 -j DNAT --to 
> > 172.16.1.4
> > ...
> > 
> > I think it should  be correct for your configuration.
> > 
> > Don't forget to authorize the traffic in the FORWARD chain .
> > 
> > 
> > Fabien
> > 
> > 
> > Amit Pasari a écrit :
> > 
> > > Thanks John,
> > > Let me explain
> > > on My LAN i have ip address - 172.16.1.1
> > > subnet - 255.255.0.0
> > > on My WAN i have ipaddress - 203.122.51.178
> > > subnet - 255.255.255.240
> > >
> > > Now , my clients want to have public / Live ip instead of private ips 
> > > which i am giving as  many of my clients uses webserver , and other 
> > > applications which people from outside world needs to access .
> > > I can redirect  ports for one clients but how about 10 clients wanting 
> > > the same .
> > > So i need to give them a public ip so that all the traffic can be 
> > > redirected their ip .
> > >
> > >
> > > Regards
> > > Amit
> > >
> > > At 09:54 PM 1/2/04, you wrote:
> > >
> > >> On Fri, 2004-01-02 at 11:30, Amit Pasari wrote:
> > >> > Hello,
> > >> > I am using Redhat 8.0 with iptables to provide my client internet 
> > >> services
> > >> > . Everything is going well .
> > >> > i have been giving private ips of 172.16.0.0 series to my clients .
> > >> > But now some of my clients need public ips . i do have many public 
> > >> ips with
> > >> > me .so can somebody tell how can i give public ips to my clients .
> > >> >
> > >> > Thanks & Regards
> > >> > Amit
> > >> > Orangeinfoways.com
> > >>
> > >> Could you please clarify what you mean by giving ips to your clients?
> > >> Thanks - John
> > >> -- 
> > >> John A. Sullivan III
> > >> Chief Technology Officer
> > >> Nexus Management
> > >> +1 207-985-7880
> > >> john.sullivan@nexusmgmt.com
> > >> ---
> > >> If you are interested in helping to develop a GPL enterprise class
> > >> VPN/Firewall/Security device management console, please visit
> > >> http://iscs.sourceforge.net
> > >
> > >
> > >
> > >
> > >
> > 
> > 
> > 
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation

Can iptables do this ?

[Ramoni]

Hi,
can iptables do a temp rule ?
I mean, I need to create rules that will be deleted after x seconds or minutes.
The time module does not remove the rules as it is not supposed to do so.
Is there a module that I could say:
iptables -I FORWARD -s a.b.c.d -j DROP -m xxxxx --minutes 2
and the rule will be deleted after 2 minutes os something like that ?

thanx

Re: Can iptables do this ?

[Antony Stone]

On Friday 02 January 2004 7:07 pm, Ramoni wrote:

> Hi,
> can iptables do a temp rule ?
> I mean, I need to create rules that will be deleted after x seconds or
> minutes. The time module does not remove the rules as it is not supposed to
> do so. Is there a module that I could say:
> iptables -I FORWARD -s a.b.c.d -j DROP -m xxxxx --minutes 2
> and the rule will be deleted after 2 minutes os something like that ?

No.

Use cron, at, or sleep.

Antony.

-- 
Your work is both good and original.  Unfortunately the parts that are good 
aren't original, and the parts that are original aren't good.

 - Samuel Johnson

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Can iptables do this?

[Wei Ming Long]

Correct me if I'm wrong, when the laptop with the preconfigured static ip
comes into the network, it will do a arp broadcast to find the mac address of
it's gateway, so can iptables capture this arp packet (at the same time reply
to this arp request), extract the mac address and keep this in a table so that
the next time this same laptop sends a http request packet out onto the
network, the mac address in the packet header is extracted & mapped to the
private ip address before resending this same http request packet out into the
internet cloud. When the http reply packet comes back, iptables will look up
the mac address <--> private ip table and then send this reply packet back to
the laptop. 

Is this all possible? or is it possible to add code to netfilter to achieve
this? I'm prepared to write code to netfilter to do this if not already
possible but just want to make sure that this feature or functionality is not
already present so that I don't have to do redundant job.

Thanks
Matthew


>>> J Webb <jon_webb@binary-one.com> 06/12/03 12:05PM >>>
That is more of a Mobile-IP type issue. A laptop with any old ip address 
will not be able to talk to the rest of your network (or gateway) 
properly unless it has an IP on that network. ARP, among other things, 
will be completely broken. The laptops with the pre-configured static 
IP's would have to set themselves to use your internal gateway, and 
unless they are in the same network, they will have no route to that, or 
any other, host. I believe IPTables can't help you here.

- Jon

Wei Ming Long wrote:

>Hi Everyone,
>I have posted this question before but got no response, so I'm posting it
>again, please pardon me if you have seen this before.
>I have a wireless network with my linux machine as a gateway between the
>internet & my internal wireless network. I have iptables running on the
>gateway & also a dhcp server to serve out ip addresses to the client
laptops.
>I also run the Squid proxy server on the gateway to proxy http requests. I
use
>iptables to redirect http traffic to Squid and to do nat for the internal
>network.
>My question is this: what if a laptop with a preconfigured static ip
address
>comes into the internal network or worse, 2 client laptops with identical
>preconfigured static ip addresses enter into network, can iptables do nat
>based on mac address <--> public ip address mapping besides the usual
private
>ip address <--> public ip address mapping?
>
>Please help. Thanks.
>
>Best regards
>Matthew
>
>  
>

Re: Can iptables do this?

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 2342 bytes --]

On Thu, Jun 12, 2003 at 03:33:45PM +0800, Wei Ming Long wrote:
> Correct me if I'm wrong, when the laptop with the preconfigured static ip
> comes into the network, it will do a arp broadcast to find the mac address of
> it's gateway, so can iptables capture this arp packet (at the same time reply
> to this arp request), 

iptables is called 'ip'tables, because it deals with IP packets.  So
iptables will never see any arp packets.

> extract the mac address and keep this in a table so that the next time
> this same laptop sends a http request packet out onto the
> network, the mac address in the packet header is extracted & mapped to the
> private ip address before resending this same http request packet out into the
> internet cloud. 

yes, but this is a total ugly layering violation.  And connection
tracking doesn't care about mac addresses, but about IP addresses. 

Apart from that, it starts with broadcasts... the client will make
assumptions about the broadcast address of that network segment that
arne't true.  You will somehow need to convince the IP stack of your
gateway to reply to all linklayer ARP broadcasts, not just Arp requests
with the correct bcast address of that segment.

And don't even start to think about multicasting in that case...

> When the http reply packet comes back, iptables will look up
> the mac address <--> private ip table and then send this reply packet back to
> the laptop. 
> 
> Is this all possible? or is it possible to add code to netfilter to achieve
> this? I'm prepared to write code to netfilter to do this if not already
> possible but just want to make sure that this feature or functionality is not
> already present so that I don't have to do redundant job.

No, this has not been implemented yet, and I don't think that we want to
have such functionality in the official kernel.  Feel free to write it
as a netfilter module, though :)

> Thanks
> Matthew
 

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: can iptables do this?

[Sven Koch]

On Tue, 21 May 2002, Antony Stone wrote:

> On Tuesday 21 May 2002 10:47 am, Eduardo GARCIA wrote:
> > For example my network is 1.2.3.0 and I want that a host with an IP from
> > any unknown network (i. e. 10.9.8.7) can navigate.
>
> No way.   You can't create a network which will allow a host with some
> arbitrary preset IP address (and gateway, and DNS...) to come along an plug
> into - for two reasons:

You can, at least one commercial device does right that - see
www.nomadix.com for ther usg (universal subscriber gateway).

It seems to be some kind of "answer to every arp request" combined with
nat - won't be easy, but it should be doable with iptables and some
home-grown programs.

c'ya
sven

-- 

The Internet treats censorship as a routing problem, and routes around it.
(John Gilmore on http://www.cygnus.com/~gnu/)

Re: can iptables do this?

[Antony Stone]

On Tuesday 21 May 2002 1:27 pm, Sven Koch wrote:

> On Tue, 21 May 2002, Antony Stone wrote:
> > On Tuesday 21 May 2002 10:47 am, Eduardo GARCIA wrote:
> > > For example my network is 1.2.3.0 and I want that a host with an IP
> > > from any unknown network (i. e. 10.9.8.7) can navigate.
> >
> > No way.   You can't create a network which will allow a host with some
> > arbitrary preset IP address (and gateway, and DNS...) to come along an
> > plug into - for two reasons:
>
> You can, at least one commercial device does right that - see
> www.nomadix.com for ther usg (universal subscriber gateway).
>
> It seems to be some kind of "answer to every arp request" combined with
> nat - won't be easy, but it should be doable with iptables and some
> home-grown programs.

I still maintain that this method won't work for all cases (although I could 
see that it might cover the majority of IP addresses).

Suppose, for example, that I work for Hewlett-Packard, who have a Class A 
network on address 15.0.0.0/255.0.0.0

Then my PC will have an address somewhere in this range (remember we're not 
using DHCP here, so I must have a static address), and it will consider all 
other addresses in this range as local, not to be routed through a gateway.

Then if I take this machine and plug it into the network described above, and 
I assume that it handles all the arp requests very cleverly, it's still going 
to allow me to access anything on the Internet except my 'own' local network, 
15.0.0.0/255.0.0.0, which is actually quite a likely one for me to want to 
contact whilst I'm out and about.....

The reason I think I won't be able to access my 'own' network is because my 
machine will expect to find 15.x.y.z servers locally, not through any router, 
therefore it's going to look for machines on the local net, not through the 
gateway it magically discovers through all this arp nonsense....

Anybody explain where my reasoning falls down so this crazy scheme *can* 
actually work ?

 

Antony.

Re: can iptables do this?

[Edu]

Thank you all for your time, I'll have to squeeze hard my brain to solve it.

Just one more question: I've heard that there is a Cisco system (just one
machine that solves the whole problem?) that allows all that thing. Anybody
knows it?


Thanks again.


Edu

Re: Can iptables do this?

[eduardg]

Hi, first of all thank you for your time

Missatge citat per: Antony Stone <Antony@Soft-Solutions.co.uk>:

> On Monday 20 May 2002 1:03 pm, Eduardo GARCIA wrote:
> 
> > For example my network is 1.2.3.0 and I want that a host with an IP
> address
> > 10.9.8.7 can navigate. First of all, the host will send arp request to
> find
> > the MAC of its DNS server (I'll have to redirect it to my DNS), then
> it
> > will look for its default gateway, etc (I can't work with mobile IP
> nor
> > change any host configuration).
> >
> > Not any host is allowed to do this, only hosts with known MACs.

Here comes (I belive) iptables



> 
> Sounds like you want BOOTP / DHCP ?

No, this way the network configuration dynamically changes.


> 
> I don't quite see where IPtables comes into this.... ?


I have to translate the ip of the host, but the problem comes when the host 
tries to find its DNS, it first has to send an ARP request that must be 
responsed by somebody on my network. Is possible to mangle an arp request to 
change dest ip?


> 
> 
> 
> Antony.
> 
> 

Can iptables do this?

[eduardg]

Hi,

I want to built a network that allows http navigation to any host that is 
plugged on it, without any change on its configuration.

For example my network is 1.2.3.0 and I want that a host with an IP address 
10.9.8.7 can navigate. First of all, the host will send arp request to find the 
MAC of its DNS server (I'll have to redirect it to my DNS), then it will look 
for its default gateway, etc (I can't work with mobile IP nor change any host 
configuration).

Not any host is allowed to do this, only hosts with known MACs.


Has anybody implemented a solution for a similar challenge? Any idea?

Thank you in advance.


Edu