Dynamic redirection?

Dynamic redirection?

[Glen Becker]

Hello, I haven't been lurking here long but have tried the FAQs,
tutorials and How-To's.  I'm an iptables novice.  I thought this would
be simple; I hope I'm overlooking something obvious.

I have a Linux server acting as a gateway between the internet and the
internal network, allowing only authenticated hosts internet access.  I
have a simple FORWARD (policy DROP) ruleset into which individual hosts,
after authentication, are inserted and allowed internet access.  As each
host's session time expires, the corresponding ACCEPT rule is removed
from FORWARD.  That all works well.

Now I would like to do something like DNAT for http connections from
NON-authenticated hosts to a webserver on my gateway box, but still let
authenticated hosts through.

-t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.2.1
unfortunately catches everything.

Is there a way to "redirect" web connections only if the packet hasn't
already been ACCEPTed for forwarding?

For example:
Host 192.168.2.128 is authenticated and should be allowed any internet
connections.  http requests from all other internal hosts are sent to
the local web server:

-P FORWARD DROP
-A FORWARD -p udp --dport 53 -j ACCEPT
-A FORWARD -p udp --sport 53 -j ACCEPT
-A FORWARD -s 192.168.2.128 -p ALL -j ACCEPT
-A FORWARD -d 192.168.2.128 -p ALL -j ACCEPT
-A [something really smart like DNAT but only if the packet traverses
this far]

Thanks

-Glen

RE: Dynamic redirection?

[Daniel Chemko]

Glen Becker wrote:
> Hello, I haven't been lurking here long but have tried the FAQs,
> tutorials and How-To's.  I'm an iptables novice.  I thought this
> would be simple; I hope I'm overlooking something obvious.  
> 
> I have a Linux server acting as a gateway between the internet and
> the internal network, allowing only authenticated hosts internet
> access.  I have a simple FORWARD (policy DROP) ruleset into which
> individual hosts, after authentication, are inserted and allowed
> internet access.  As each host's session time expires, the
> corresponding ACCEPT rule is removed from FORWARD.  That all works
> well.      

No, there isn't. The closest match to this requirement currently is a
hack to pam_iptables, or else you could scrap Linux and use checkpoint
which has it. Maybe authenication could be through a web page, but you'd
have to code all the logic yourself.

> Now I would like to do something like DNAT for http connections from
> NON-authenticated hosts to a webserver on my gateway box, but still
> let authenticated hosts through.  
> 
> -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
> 192.168.2.1 unfortunately catches everything. 
> 
> Is there a way to "redirect" web connections only if the packet
> hasn't already been ACCEPTed for forwarding? 
> 

With the pam_iptables module today, the program would simply add (-A) a
single rule to the FORWARD chain. You would have to change to make the
rule insert (-I) the rule at the beginning of the chain. If you need to
DNAT traffic as well, that all has to be hacked into the pam module, or
write some scripting extensability into it.

When you are building your chains, you'll have a catch-all rule for the
defalt redirect, and since all user auth rules are getting pushed to the
front of the chain list, they will always be executed before the generic
rule, just as you want here.

Re: Dynamic redirection?

[Philip Craig]

Glen Becker wrote:
> Is there a way to "redirect" web connections only if the packet hasn't
> already been ACCEPTed for forwarding?

Since DNAT is performed in PREROUTING, which comes before FORWARD,
it is impossible to base the DNAT decision off whether the packet is
accepted in FORWARD.

You need to duplicate your authentication rules in the nat table.

> For example:
> Host 192.168.2.128 is authenticated and should be allowed any internet
> connections.  http requests from all other internal hosts are sent to
> the local web server:
> 
> -P FORWARD DROP
> -A FORWARD -p udp --dport 53 -j ACCEPT
> -A FORWARD -p udp --sport 53 -j ACCEPT
> -A FORWARD -s 192.168.2.128 -p ALL -j ACCEPT
> -A FORWARD -d 192.168.2.128 -p ALL -j ACCEPT
> -A [something really smart like DNAT but only if the packet traverses
> this far]

Use these rules:

-t nat -A PREROUTING -s 192.168.2.128 -j ACCEPT
-t nat -A PREROUTING -d 192.168.2.128 -j ACCEPT
-t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.2.1
-P FORWARD DROP
-A FORWARD -p udp --dport 53 -j ACCEPT
-A FORWARD -p udp --sport 53 -j ACCEPT
-A FORWARD -s 192.168.2.128 -p ALL -j ACCEPT
-A FORWARD -d 192.168.2.128 -p ALL -j ACCEPT

If you don't like duplicating the rules like that, then you could
set marks in mangle PREROUTING and base both the nat and filter rules
off the mark.  Or you could patch your kernel to use ippool or ipset,
then you wouldn't need to dynamically add rules at all, you just
have one rule each in nat and filter referring to the pool/set.

-- 
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com

Re: Dynamic redirection?

[Jeroen Vriesman]

Hi,

Duplicate your forwarding rules to the mangle PREROUTING table, but instead of -j ACCEPT, do a -j MARK --set-mark 1.

After that, do a NAT with "-m mark ! mark 1".

Should work.
Cheers,
Jeroen.


On 26 Feb 2004 00:42:31 -0500
Glen Becker <solar04@comcast.net> wrote:

> Hello, I haven't been lurking here long but have tried the FAQs,
> tutorials and How-To's.  I'm an iptables novice.  I thought this would
> be simple; I hope I'm overlooking something obvious.
> 
> I have a Linux server acting as a gateway between the internet and the
> internal network, allowing only authenticated hosts internet access.  I
> have a simple FORWARD (policy DROP) ruleset into which individual hosts,
> after authentication, are inserted and allowed internet access.  As each
> host's session time expires, the corresponding ACCEPT rule is removed
> from FORWARD.  That all works well.
> 
> Now I would like to do something like DNAT for http connections from
> NON-authenticated hosts to a webserver on my gateway box, but still let
> authenticated hosts through.
> 
> -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.2.1
> unfortunately catches everything.
> 
> Is there a way to "redirect" web connections only if the packet hasn't
> already been ACCEPTed for forwarding?
> 
> For example:
> Host 192.168.2.128 is authenticated and should be allowed any internet
> connections.  http requests from all other internal hosts are sent to
> the local web server:
> 
> -P FORWARD DROP
> -A FORWARD -p udp --dport 53 -j ACCEPT
> -A FORWARD -p udp --sport 53 -j ACCEPT
> -A FORWARD -s 192.168.2.128 -p ALL -j ACCEPT
> -A FORWARD -d 192.168.2.128 -p ALL -j ACCEPT
> -A [something really smart like DNAT but only if the packet traverses
> this far]
> 
> Thanks
> 
> -Glen
> 
> 

Re: Dynamic redirection?

[Glen Becker]

Craig, thanks!  That works great for now; "simple is good".  If time
permits later I would like to experiment with your and Jeroen's
suggestion of marking.

-Glen

On Thu, 2004-02-26 at 03:32, Philip Craig wrote:
> Use these rules:
> 
> -t nat -A PREROUTING -s 192.168.2.128 -j ACCEPT
> -t nat -A PREROUTING -d 192.168.2.128 -j ACCEPT
> -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.2.1
> -P FORWARD DROP
> -A FORWARD -p udp --dport 53 -j ACCEPT
> -A FORWARD -p udp --sport 53 -j ACCEPT
> -A FORWARD -s 192.168.2.128 -p ALL -j ACCEPT
> -A FORWARD -d 192.168.2.128 -p ALL -j ACCEPT
> 
> If you don't like duplicating the rules like that, then you could
> set marks in mangle PREROUTING and base both the nat and filter rules
> off the mark.  Or you could patch your kernel to use ippool or ipset,
> then you wouldn't need to dynamically add rules at all, you just
> have one rule each in nat and filter referring to the pool/set.