DNAT and promiscuous mode

DNAT and promiscuous mode

[Travis Johnson]

Hi,

Is it possible to use DNAT on an interface that only runs in promiscuous 
mode to redirect web traffic to a different IP address?

Traffic does not pass thru the firewall, only a single ethernet 
interface in promiscuous mode.

Thanks,

Travis
Microserv

Re: DNAT and promiscuous mode

[Cedric Blancher]

Le lun 26/04/2004 à 19:03, Travis Johnson a écrit :
> Is it possible to use DNAT on an interface that only runs in promiscuous 
> mode to redirect web traffic to a different IP address?
> Traffic does not pass thru the firewall, only a single ethernet 
> interface in promiscuous mode.

Yes, you can handle traffic with a promisc interface just the way you
handle it with a normal one as long as it is destined to its MAC
address.

But you may describe your setting and will a bit more, for I don't
really understand the purpose of promisc there.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: DNAT and promiscuous mode

[Cedric Blancher]

Le lun 26/04/2004 à 19:35, Travis Johnson a écrit :
> The traffic would not be destined to that MAC address, it would simply
> be going past this machine.

Do you mean this machine is bridge ?

> I am looking to re-direct my customers that are past due to a
> different web page.

Then transparent proxying is what you need and do not require
promiscuous mode.


PS : you should reply to the list (at least Cc)

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: DNAT and promiscuous mode

[Cedric Blancher]

Le lun 26/04/2004 à 19:49, Travis Johnson a écrit :
> No, this machine is not a bridge. It will simply sit and watch the
> traffic go by.

You can't do that this way, for you will duplicate traffic, as original
packets will continue their journey to their original destination. You
have to _intercept_ it.

This kind of setting is OK :

	Internet ----- FW ------ DMZ
			|
			|
			`--- Alt.Web

On the firewall, you set a mark based routing for HTTP packets to
Alt.Web (see lartc.org cookbook).
On Alt.web, you set a REDIRECT NAT for HTTP packets to proxy port (e.g.
3128) :

	iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT \
		--to-ports 3128

HTTP proxy has to be configured for transparent proxying (see Squid
docs).

If you want interception to be more "transparent", you can use a bridge
and use ebtables broute table or frame diverter in order to catch HTTP
packets on the fly.


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: DNAT and promiscuous mode

[Dick St.Peters]

Cedric Blancher writes:
> Le lun 26/04/2004 à 19:35, Travis Johnson a écrit :
> > I am looking to re-direct my customers that are past due to a
> > different web page.
> 
> Then transparent proxying is what you need and do not require
> promiscuous mode.

If the context is local users (such as dialup customers) accessing the
internet, it's not necessary to run a proxy to divert them to a
different web page.  I do this with a combination of policy routing
and DNAT.

First, set aside a small block of IP addresses to be assigned only to
overdue customers.  RADIUS does this easily.  Then route all web
queries from these addresses to the overdue site using policy routing.
I do this in a Cisco because it's there, but most any modern router,
including a Linux box, will do.  Then on the overdue site box, DNAT
all packets from those sources to the IP address and port of the
overdue site.

This works like a charm and completely ignores traffic to/from other
users.

--
Dick St.Peters, stpeters@NetHeaven.com