Re: Dynamic redirection?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Philip Craig <philipc@snapgear.com>
To: Glen Becker <solar04@comcast.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: Dynamic redirection?
Date: Thu, 26 Feb 2004 18:32:44 +1000	[thread overview]
Message-ID: <403DAF2C.1090303@snapgear.com> (raw)
In-Reply-To: <1077774151.3036.78.camel@merlin>

Glen Becker wrote:
> Is there a way to "redirect" web connections only if the packet hasn't
> already been ACCEPTed for forwarding?

Since DNAT is performed in PREROUTING, which comes before FORWARD,
it is impossible to base the DNAT decision off whether the packet is
accepted in FORWARD.

You need to duplicate your authentication rules in the nat table.

> For example:
> Host 192.168.2.128 is authenticated and should be allowed any internet
> connections.  http requests from all other internal hosts are sent to
> the local web server:
> 
> -P FORWARD DROP
> -A FORWARD -p udp --dport 53 -j ACCEPT
> -A FORWARD -p udp --sport 53 -j ACCEPT
> -A FORWARD -s 192.168.2.128 -p ALL -j ACCEPT
> -A FORWARD -d 192.168.2.128 -p ALL -j ACCEPT
> -A [something really smart like DNAT but only if the packet traverses
> this far]

Use these rules:

-t nat -A PREROUTING -s 192.168.2.128 -j ACCEPT
-t nat -A PREROUTING -d 192.168.2.128 -j ACCEPT
-t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.2.1
-P FORWARD DROP
-A FORWARD -p udp --dport 53 -j ACCEPT
-A FORWARD -p udp --sport 53 -j ACCEPT
-A FORWARD -s 192.168.2.128 -p ALL -j ACCEPT
-A FORWARD -d 192.168.2.128 -p ALL -j ACCEPT

If you don't like duplicating the rules like that, then you could
set marks in mangle PREROUTING and base both the nat and filter rules
off the mark.  Or you could patch your kernel to use ippool or ipset,
then you wouldn't need to dynamically add rules at all, you just
have one rule each in nat and filter referring to the pool/set.

-- 
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com

next prev parent reply	other threads:[~2004-02-26  8:32 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-02-26  5:42 Dynamic redirection? Glen Becker
2004-02-26  8:32 ` Philip Craig [this message]
2004-02-26 15:24   ` Glen Becker
2004-02-26  9:25 ` Jeroen Vriesman
  -- strict thread matches above, loose matches on Subject: below --
2004-02-26  8:00 Daniel Chemko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=403DAF2C.1090303@snapgear.com \
    --to=philipc@snapgear.com \
    --cc=netfilter@lists.netfilter.org \
    --cc=solar04@comcast.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.