Ipables and arpd. Any help is appreciated.

All of lore.kernel.org
 help / color / mirror / Atom feed

* Ipables and arpd. Any help is appreciated.
@ 2005-03-31 18:42 Jeffrey B. Murphy
  2005-03-31 20:37 ` Access control script for Public Library mark
  0 siblings, 1 reply; 6+ messages in thread
From: Jeffrey B. Murphy @ 2005-03-31 18:42 UTC (permalink / raw)
  To: netfilter

I sent this to the honeypots list, but got no takers. I am hoping some
one can help me undestand waht is going on.

I am using a product named arpd (It can be found on the honeyd page:
http://www.citi.umich.edu/u/provos/honeyd/).

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Access control script for Public Library
  2005-03-31 18:42 Ipables and arpd. Any help is appreciated Jeffrey B. Murphy
@ 2005-03-31 20:37 ` mark
  2005-03-31 21:01   ` John A. Sullivan III
  0 siblings, 1 reply; 6+ messages in thread
From: mark @ 2005-03-31 20:37 UTC (permalink / raw)
  To: netfilter

Hello - 

I am a complete iptables newbie who is trying to re-write a wireless hotspot
script that I found on the net to control internet access for our library patrons. 

I found the script at: 

http://www.feedface.com/folkert/study/hotspot/src/firewall.sh.txt

I am trying to re-write it so that I can use squid and dansguardian to proxy and
filter the web. I need it to transparently proxy. I have a system set up now
that uses squid to grant or deny access, but it can only block web access; I my
need is for a firewall that can block all network access so that a given PC
can't chat or play online games as well as surf the net after time has run out.

The script, as far as I have gotten, works well. When I fire it up, my test PC
can't go anywhere except the sign up page (which it is redirected to no matter
what), and when I add the PC to the access list (by typing firewall.sh add <ip>
<mac>), that PC is able to surf. 

My problem comes in when I try to do the transparent proxy part. when I try to
add the rule: 
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080

To the script, it does not work, and dansguardian will not even start. I have
played around with various permutations of this rule, and have gotten nowhere. 

Can anybody help? 

Thanks - 

Mark Ehle
=======
Following is the script (firewall.sh) as far as I have it:

#!/bin/bash

###############################################################################
#   name: firewall.sh
# author: Mark Ehle
#   date: 03-30-05
# with much thanks given to Folkert Saathoff at http://www.feedface.com/folkert
###############################################################################

#===========================
# variables
#===========================

# command-line arguments
COMMAND=$0
ACTION=$1
IP=$2
MAC=$3

# program locations
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
DEPMOD=/sbin/depmod

# Local Network variables
LAN_GW="10.0.0.1"
LAN_NET="10.0.0.0/8"
LAN_INT="eth1"

# External network variables
EXT_INT_IP="<insert external interface ip here>"
EXT_INT="eth0"

#Name Server IP
NS="insert Name server ip here"

#===========================
# subroutines
#===========================
load_modules() {
    $DEPMOD -a
    for module in "ip_conntrack ip_tables iptable_filter iptable_mangle
iptable_nat ipt_LOG ipt_limit ipt_MASQUERADE"; do
        $MODPROBE $module 
    done
    return
}

start_ip_forwarding() {
    echo 1 > /proc/sys/net/ipv4/ip_forward
    return
}

show_usage()
{
    echo "usage:"
    echo "$COMMAND reset"
    echo "$COMMAND add IP MAC"
    echo "$COMMAND del IP MAC"
    exit 1;
}

fferror()
{
    echo "^_^'"
    echo "error setting netfilter: $ACTION"
    exit 1
}

flush_tables() {
    for TABLE in filter nat mangle; do
        for SWITCH in F X Z; do
            $IPTABLES -t $TABLE -$SWITCH
        done
    done
    return
}

create_new_chains() {
    #filter chain for accepting authenticated clients 
    $IPTABLES -t filter -N fclient
    #filter chain for not rerouting authenticated clients 
    $IPTABLES -t nat -N dclient
    #filter chain for routing from authenticated clients 
    $IPTABLES -t nat -N sclient
    
    #default filter policy is DROP
    $IPTABLES -t filter -P INPUT DROP
    $IPTABLES -t filter -P OUTPUT DROP
    $IPTABLES -t filter -P FORWARD DROP

    return
}

reset_firewall() {

    load_modules
    start_ip_forwarding
    flush_tables
    create_new_chains

    #allow all local traffic
    $IPTABLES -t filter -A  INPUT -i lo0 -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -o lo0 -j ACCEPT

    #allow all icmp traffic self<->lan
    $IPTABLES -t filter -A  INPUT -i $LAN_INT -s $LAN_NET -d $LAN_GW -p icmp -j
ACCEPT
    $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p icmp -j
ACCEPT

    #allow all icmp traffic self<->inet
    $IPTABLES -t filter -A  INPUT -i $EXT_INT -d $EXT_INT_IP -p icmp -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -o $EXT_INT -s $EXT_INT_IP -p icmp -j ACCEPT

    #allow dhcp traffic self<->lan
    $IPTABLES -t filter -A  INPUT -i $LAN_INT -s 0.0.0.0/0 -d 255.255.255.255 -p
udp --dport 67:68 -j ACCEPT 
    $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p udp
--sport 67:68 -j ACCEPT

    #allow all web traffic self<->lan
    for PORT in 80 443; do
        $IPTABLES -t filter -A  INPUT -i $LAN_INT -s $LAN_NET -d $LAN_GW -p tcp
--dport $PORT -j ACCEPT
        $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p tcp
--sport $PORT -j ACCEPT
    done

    #allow all ssh and smb traffic to/from self
    for PORT in 22 139; do
        $IPTABLES -t filter -A  INPUT -p tcp --dport $PORT -j ACCEPT
        $IPTABLES -t filter -A OUTPUT -p tcp --sport $PORT -j ACCEPT
    done

    # allow dns
    $IPTABLES -t filter -A OUTPUT  -o $EXT_INT -s $EXT_INT_IP -d $NS -p udp
--dport 53 -j ACCEPT
    $IPTABLES -t filter -A  INPUT  -i $EXT_INT -s $NS -d $EXT_INT_IP -p udp
--sport 53 -j ACCEPT
    $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -d $NS -p
udp --dport 53 -j ACCEPT 
    $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -s $NS -d $LAN_NET -p
udp --sport 53 -j ACCEPT 

    #enable source network address translation for dns
    $IPTABLES -t nat -A POSTROUTING  -s $LAN_NET -p udp --dport 53 -d $NS -o
$EXT_INT -j SNAT --to $EXT_INT_IP

    #check for allowed clients -> inet
    $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -j fclient
    #reject all other clients
    $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -j REJECT
--reject-with icmp-net-prohibited

    #allow established connections lan<->inet
    $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -d $LAN_NET -m state
--state ESTABLISHED -j ACCEPT

    #snat traffic from authenticated clients
    $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -d ! $LAN_NET -j sclient    

    #do not dnat traffic from authenticated clients
    $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -j dclient

    #enable dnat to self for all web traffic
    for PORT in 80 443; do
        $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -p tcp --dport
$PORT -j DNAT --to $LAN_GW
    done

    #add default REJECT rule (just more polite than DROP)
    for CHAIN in INPUT OUTPUT FORWARD; do
        $IPTABLES -t filter -A $CHAIN -j REJECT;
    done
    return

}

add_usage() {
    echo "usage:"
    echo "$COMMAND add IP MAC"
    exit 1;
}

run_add() {
    [ "ff"$IP != "ff" ] || show_addclient_usage; [ "ff"$MAC != "ff" ] || add_usage
    #add client
    
    $IPTABLES -t filter -A fclient -s $IP -m mac --mac-source $MAC -j ACCEPT   
        || fferror $?
    $IPTABLES -t nat    -A dclient -s $IP -m mac --mac-source $MAC -j ACCEPT   
        || fferror $?
    $IPTABLES -t nat    -A sclient -s $IP -d ! $LAN_NET -j SNAT --to $EXT_INT_IP
       || fferror $?
    echo "added Client: IP $IP MAC $MAC";
    return
}

del_usage() {
    echo "usage:"
    echo "$COMMAND del IP MAC"
    exit 1;
}

run_del() {
    [ "ff"$IP != "ff" ] || show_delClient_usage; [ "ff"$MAC != "ff" ] || del_usage
    #delete client
    $IPTABLES -t filter -D fclient -s $IP -m mac --mac-source $MAC -j ACCEPT ||
fferror $?
    $IPTABLES -t nat -D dclient -s $IP -m mac --mac-source $MAC -j ACCEPT ||
fferror $?
    $IPTABLES -t nat -D sclient -s $IP -d ! $LAN_NET -j SNAT --to $EXT_INT_IP ||
fferror $?
    echo "removed Client: IP $IP MAC $MAC";
    return
}

#===========================
# Main 
#=========================== 

case "$ACTION" in
    reset ) reset_firewall;;
    add   ) run_add;;
    del   ) run_del;;
    *     ) show_usage;;
esac

exit



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Access control script for Public Library
  2005-03-31 20:37 ` Access control script for Public Library mark
@ 2005-03-31 21:01   ` John A. Sullivan III
  2005-03-31 22:54     ` mark
  0 siblings, 1 reply; 6+ messages in thread
From: John A. Sullivan III @ 2005-03-31 21:01 UTC (permalink / raw)
  To: mark; +Cc: Netfilter users list

On Thu, 2005-03-31 at 15:37 -0500, mark@ehle.homelinux.org wrote:
> Hello - 
> 
> I am a complete iptables newbie who is trying to re-write a wireless hotspot
> script that I found on the net to control internet access for our library patrons. 
> 
> I found the script at: 
> 
> http://www.feedface.com/folkert/study/hotspot/src/firewall.sh.txt
> 
> I am trying to re-write it so that I can use squid and dansguardian to proxy and
> filter the web. I need it to transparently proxy. I have a system set up now
> that uses squid to grant or deny access, but it can only block web access; I my
> need is for a firewall that can block all network access so that a given PC
> can't chat or play online games as well as surf the net after time has run out.
> 
> The script, as far as I have gotten, works well. When I fire it up, my test PC
> can't go anywhere except the sign up page (which it is redirected to no matter
> what), and when I add the PC to the access list (by typing firewall.sh add <ip>
> <mac>), that PC is able to surf. 
> 
> My problem comes in when I try to do the transparent proxy part. when I try to
> add the rule: 
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
> 
> To the script, it does not work, and dansguardian will not even start. I have
> played around with various permutations of this rule, and have gotten nowhere. 
> 
> Can anybody help? 
> 
> Thanks - 
> 
> Mark Ehle
> =======
> Following is the script (firewall.sh) as far as I have it:
> 
> #!/bin/bash
> 
> ###############################################################################
> #   name: firewall.sh
> # author: Mark Ehle
> #   date: 03-30-05
> # with much thanks given to Folkert Saathoff at http://www.feedface.com/folkert
> ###############################################################################
> 
> #===========================
> # variables
> #===========================
> 
> # command-line arguments
> COMMAND=$0
> ACTION=$1
> IP=$2
> MAC=$3
> 
> # program locations
> IPTABLES=/sbin/iptables
> MODPROBE=/sbin/modprobe
> DEPMOD=/sbin/depmod
> 
> # Local Network variables
> LAN_GW="10.0.0.1"
> LAN_NET="10.0.0.0/8"
> LAN_INT="eth1"
> 
> # External network variables
> EXT_INT_IP="<insert external interface ip here>"
> EXT_INT="eth0"
> 
> #Name Server IP
> NS="insert Name server ip here"
> 
> #===========================
> # subroutines
> #===========================
> load_modules() {
>     $DEPMOD -a
>     for module in "ip_conntrack ip_tables iptable_filter iptable_mangle
> iptable_nat ipt_LOG ipt_limit ipt_MASQUERADE"; do
>         $MODPROBE $module 
>     done
>     return
> }
> 
> start_ip_forwarding() {
>     echo 1 > /proc/sys/net/ipv4/ip_forward
>     return
> }
> 
> show_usage()
> {
>     echo "usage:"
>     echo "$COMMAND reset"
>     echo "$COMMAND add IP MAC"
>     echo "$COMMAND del IP MAC"
>     exit 1;
> }
> 
> fferror()
> {
>     echo "^_^'"
>     echo "error setting netfilter: $ACTION"
>     exit 1
> }
> 
> flush_tables() {
>     for TABLE in filter nat mangle; do
>         for SWITCH in F X Z; do
>             $IPTABLES -t $TABLE -$SWITCH
>         done
>     done
>     return
> }
> 
> create_new_chains() {
>     #filter chain for accepting authenticated clients 
>     $IPTABLES -t filter -N fclient
>     #filter chain for not rerouting authenticated clients 
>     $IPTABLES -t nat -N dclient
>     #filter chain for routing from authenticated clients 
>     $IPTABLES -t nat -N sclient
>     
>     #default filter policy is DROP
>     $IPTABLES -t filter -P INPUT DROP
>     $IPTABLES -t filter -P OUTPUT DROP
>     $IPTABLES -t filter -P FORWARD DROP
> 
>     return
> }
> 
> reset_firewall() {
> 
>     load_modules
>     start_ip_forwarding
>     flush_tables
>     create_new_chains
> 
>     #allow all local traffic
>     $IPTABLES -t filter -A  INPUT -i lo0 -j ACCEPT
>     $IPTABLES -t filter -A OUTPUT -o lo0 -j ACCEPT
> 
>     #allow all icmp traffic self<->lan
>     $IPTABLES -t filter -A  INPUT -i $LAN_INT -s $LAN_NET -d $LAN_GW -p icmp -j
> ACCEPT
>     $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p icmp -j
> ACCEPT
> 
>     #allow all icmp traffic self<->inet
>     $IPTABLES -t filter -A  INPUT -i $EXT_INT -d $EXT_INT_IP -p icmp -j ACCEPT
>     $IPTABLES -t filter -A OUTPUT -o $EXT_INT -s $EXT_INT_IP -p icmp -j ACCEPT
> 
>     #allow dhcp traffic self<->lan
>     $IPTABLES -t filter -A  INPUT -i $LAN_INT -s 0.0.0.0/0 -d 255.255.255.255 -p
> udp --dport 67:68 -j ACCEPT 
>     $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p udp
> --sport 67:68 -j ACCEPT
> 
>     #allow all web traffic self<->lan
>     for PORT in 80 443; do
>         $IPTABLES -t filter -A  INPUT -i $LAN_INT -s $LAN_NET -d $LAN_GW -p tcp
> --dport $PORT -j ACCEPT
>         $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p tcp
> --sport $PORT -j ACCEPT
>     done
> 
>     #allow all ssh and smb traffic to/from self
>     for PORT in 22 139; do
>         $IPTABLES -t filter -A  INPUT -p tcp --dport $PORT -j ACCEPT
>         $IPTABLES -t filter -A OUTPUT -p tcp --sport $PORT -j ACCEPT
>     done
> 
>     # allow dns
>     $IPTABLES -t filter -A OUTPUT  -o $EXT_INT -s $EXT_INT_IP -d $NS -p udp
> --dport 53 -j ACCEPT
>     $IPTABLES -t filter -A  INPUT  -i $EXT_INT -s $NS -d $EXT_INT_IP -p udp
> --sport 53 -j ACCEPT
>     $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -d $NS -p
> udp --dport 53 -j ACCEPT 
>     $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -s $NS -d $LAN_NET -p
> udp --sport 53 -j ACCEPT 
> 
>     #enable source network address translation for dns
>     $IPTABLES -t nat -A POSTROUTING  -s $LAN_NET -p udp --dport 53 -d $NS -o
> $EXT_INT -j SNAT --to $EXT_INT_IP
> 
>     #check for allowed clients -> inet
>     $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -j fclient
>     #reject all other clients
>     $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -j REJECT
> --reject-with icmp-net-prohibited
> 
>     #allow established connections lan<->inet
>     $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -d $LAN_NET -m state
> --state ESTABLISHED -j ACCEPT
> 
>     #snat traffic from authenticated clients
>     $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -d ! $LAN_NET -j sclient    
> 
>     #do not dnat traffic from authenticated clients
>     $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -j dclient
> 
>     #enable dnat to self for all web traffic
>     for PORT in 80 443; do
>         $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -p tcp --dport
> $PORT -j DNAT --to $LAN_GW
>     done
> 
>     #add default REJECT rule (just more polite than DROP)
>     for CHAIN in INPUT OUTPUT FORWARD; do
>         $IPTABLES -t filter -A $CHAIN -j REJECT;
>     done
>     return
> 
> }
> 
> add_usage() {
>     echo "usage:"
>     echo "$COMMAND add IP MAC"
>     exit 1;
> }
> 
> run_add() {
>     [ "ff"$IP != "ff" ] || show_addclient_usage; [ "ff"$MAC != "ff" ] || add_usage
>     #add client
>     
>     $IPTABLES -t filter -A fclient -s $IP -m mac --mac-source $MAC -j ACCEPT   
>         || fferror $?
>     $IPTABLES -t nat    -A dclient -s $IP -m mac --mac-source $MAC -j ACCEPT   
>         || fferror $?
>     $IPTABLES -t nat    -A sclient -s $IP -d ! $LAN_NET -j SNAT --to $EXT_INT_IP
>        || fferror $?
>     echo "added Client: IP $IP MAC $MAC";
>     return
> }
> 
> del_usage() {
>     echo "usage:"
>     echo "$COMMAND del IP MAC"
>     exit 1;
> }
> 
> run_del() {
>     [ "ff"$IP != "ff" ] || show_delClient_usage; [ "ff"$MAC != "ff" ] || del_usage
>     #delete client
>     $IPTABLES -t filter -D fclient -s $IP -m mac --mac-source $MAC -j ACCEPT ||
> fferror $?
>     $IPTABLES -t nat -D dclient -s $IP -m mac --mac-source $MAC -j ACCEPT ||
> fferror $?
>     $IPTABLES -t nat -D sclient -s $IP -d ! $LAN_NET -j SNAT --to $EXT_INT_IP ||
> fferror $?
>     echo "removed Client: IP $IP MAC $MAC";
>     return
> }
> 
> #===========================
> # Main 
> #=========================== 
> 
> case "$ACTION" in
>     reset ) reset_firewall;;
>     add   ) run_add;;
>     del   ) run_del;;
>     *     ) show_usage;;
> esac
> 
> exit
> 
This may be a silly, off the cuff reply, but, in your rules allowing
traffic within the gateway, do you want interface lo0 as you have
written or lo?
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Access control script for Public Library
  2005-03-31 21:01   ` John A. Sullivan III
@ 2005-03-31 22:54     ` mark
  2005-03-31 23:17       ` John A. Sullivan III
  0 siblings, 1 reply; 6+ messages in thread
From: mark @ 2005-03-31 22:54 UTC (permalink / raw)
  To: John A. Sullivan III; +Cc: Netfilter users list

John - 

Thanks for your reply - most definately not silly, or off the cuff. I am a
complete iptables nubie, so I will listen to anything. 

Actually, that is a part that I didn't change from the script that I am, well,
borrowing. Might that be the reason that dansguardian hangs when I start it up?
It did seem to me that it was not able to 'listen to itself', so to speak. 

Thanks again!

Mark Ehle
Computer Support Librarian
Willard Public Library 
Battle Creek, Michigan 

Quoting "John A. Sullivan III" <jsullivan@opensourcedevel.com>:
> This may be a silly, off the cuff reply, but, in your rules allowing
> traffic within the gateway, do you want interface lo0 as you have
> written or lo?
> -- 
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan@opensourcedevel.com
> 
> If you would like to participate in the development of an open source
> enterprise class network security management system, please visit
> http://iscs.sourceforge.net
> 
> 

> On Thu, 2005-03-31 at 15:37 -0500, mark@ehle.homelinux.org wrote:
> > Hello - 
> > 
> > I am a complete iptables newbie who is trying to re-write a wireless
> hotspot
> > script that I found on the net to control internet access for our library
> patrons. 
> > 
> > I found the script at: 
> > 
> > http://www.feedface.com/folkert/study/hotspot/src/firewall.sh.txt
> > 
> > I am trying to re-write it so that I can use squid and dansguardian to
> proxy and
> > filter the web. I need it to transparently proxy. I have a system set up
> now
> > that uses squid to grant or deny access, but it can only block web access;
> I my
> > need is for a firewall that can block all network access so that a given
> PC
> > can't chat or play online games as well as surf the net after time has run
> out.
> > 
> > The script, as far as I have gotten, works well. When I fire it up, my test
> PC
> > can't go anywhere except the sign up page (which it is redirected to no
> matter
> > what), and when I add the PC to the access list (by typing firewall.sh add
> <ip>
> > <mac>), that PC is able to surf. 
> > 
> > My problem comes in when I try to do the transparent proxy part. when I try
> to
> > add the rule: 
> > iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports
> 8080
> > 
> > To the script, it does not work, and dansguardian will not even start. I
> have
> > played around with various permutations of this rule, and have gotten
> nowhere. 
> > 
> > Can anybody help? 
> > 
> > Thanks - 
> > 
> > Mark Ehle
> > =======
> > Following is the script (firewall.sh) as far as I have it:
> > 
> > #!/bin/bash
> > 
> >
> ###############################################################################
> > #   name: firewall.sh
> > # author: Mark Ehle
> > #   date: 03-30-05
> > # with much thanks given to Folkert Saathoff at
> http://www.feedface.com/folkert
> >
> ###############################################################################
> > 
> > #===========================
> > # variables
> > #===========================
> > 
> > # command-line arguments
> > COMMAND=$0
> > ACTION=$1
> > IP=$2
> > MAC=$3
> > 
> > # program locations
> > IPTABLES=/sbin/iptables
> > MODPROBE=/sbin/modprobe
> > DEPMOD=/sbin/depmod
> > 
> > # Local Network variables
> > LAN_GW="10.0.0.1"
> > LAN_NET="10.0.0.0/8"
> > LAN_INT="eth1"
> > 
> > # External network variables
> > EXT_INT_IP="<insert external interface ip here>"
> > EXT_INT="eth0"
> > 
> > #Name Server IP
> > NS="insert Name server ip here"
> > 
> > #===========================
> > # subroutines
> > #===========================
> > load_modules() {
> >     $DEPMOD -a
> >     for module in "ip_conntrack ip_tables iptable_filter iptable_mangle
> > iptable_nat ipt_LOG ipt_limit ipt_MASQUERADE"; do
> >         $MODPROBE $module 
> >     done
> >     return
> > }
> > 
> > start_ip_forwarding() {
> >     echo 1 > /proc/sys/net/ipv4/ip_forward
> >     return
> > }
> > 
> > show_usage()
> > {
> >     echo "usage:"
> >     echo "$COMMAND reset"
> >     echo "$COMMAND add IP MAC"
> >     echo "$COMMAND del IP MAC"
> >     exit 1;
> > }
> > 
> > fferror()
> > {
> >     echo "^_^'"
> >     echo "error setting netfilter: $ACTION"
> >     exit 1
> > }
> > 
> > flush_tables() {
> >     for TABLE in filter nat mangle; do
> >         for SWITCH in F X Z; do
> >             $IPTABLES -t $TABLE -$SWITCH
> >         done
> >     done
> >     return
> > }
> > 
> > create_new_chains() {
> >     #filter chain for accepting authenticated clients 
> >     $IPTABLES -t filter -N fclient
> >     #filter chain for not rerouting authenticated clients 
> >     $IPTABLES -t nat -N dclient
> >     #filter chain for routing from authenticated clients 
> >     $IPTABLES -t nat -N sclient
> >     
> >     #default filter policy is DROP
> >     $IPTABLES -t filter -P INPUT DROP
> >     $IPTABLES -t filter -P OUTPUT DROP
> >     $IPTABLES -t filter -P FORWARD DROP
> > 
> >     return
> > }
> > 
> > reset_firewall() {
> > 
> >     load_modules
> >     start_ip_forwarding
> >     flush_tables
> >     create_new_chains
> > 
> >     #allow all local traffic
> >     $IPTABLES -t filter -A  INPUT -i lo0 -j ACCEPT
> >     $IPTABLES -t filter -A OUTPUT -o lo0 -j ACCEPT
> > 
> >     #allow all icmp traffic self<->lan
> >     $IPTABLES -t filter -A  INPUT -i $LAN_INT -s $LAN_NET -d $LAN_GW -p
> icmp -j
> > ACCEPT
> >     $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p
> icmp -j
> > ACCEPT
> > 
> >     #allow all icmp traffic self<->inet
> >     $IPTABLES -t filter -A  INPUT -i $EXT_INT -d $EXT_INT_IP -p icmp -j
> ACCEPT
> >     $IPTABLES -t filter -A OUTPUT -o $EXT_INT -s $EXT_INT_IP -p icmp -j
> ACCEPT
> > 
> >     #allow dhcp traffic self<->lan
> >     $IPTABLES -t filter -A  INPUT -i $LAN_INT -s 0.0.0.0/0 -d
> 255.255.255.255 -p
> > udp --dport 67:68 -j ACCEPT 
> >     $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p
> udp
> > --sport 67:68 -j ACCEPT
> > 
> >     #allow all web traffic self<->lan
> >     for PORT in 80 443; do
> >         $IPTABLES -t filter -A  INPUT -i $LAN_INT -s $LAN_NET -d $LAN_GW -p
> tcp
> > --dport $PORT -j ACCEPT
> >         $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p
> tcp
> > --sport $PORT -j ACCEPT
> >     done
> > 
> >     #allow all ssh and smb traffic to/from self
> >     for PORT in 22 139; do
> >         $IPTABLES -t filter -A  INPUT -p tcp --dport $PORT -j ACCEPT
> >         $IPTABLES -t filter -A OUTPUT -p tcp --sport $PORT -j ACCEPT
> >     done
> > 
> >     # allow dns
> >     $IPTABLES -t filter -A OUTPUT  -o $EXT_INT -s $EXT_INT_IP -d $NS -p
> udp
> > --dport 53 -j ACCEPT
> >     $IPTABLES -t filter -A  INPUT  -i $EXT_INT -s $NS -d $EXT_INT_IP -p
> udp
> > --sport 53 -j ACCEPT
> >     $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -d
> $NS -p
> > udp --dport 53 -j ACCEPT 
> >     $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -s $NS -d
> $LAN_NET -p
> > udp --sport 53 -j ACCEPT 
> > 
> >     #enable source network address translation for dns
> >     $IPTABLES -t nat -A POSTROUTING  -s $LAN_NET -p udp --dport 53 -d $NS
> -o
> > $EXT_INT -j SNAT --to $EXT_INT_IP
> > 
> >     #check for allowed clients -> inet
> >     $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -j
> fclient
> >     #reject all other clients
> >     $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -j
> REJECT
> > --reject-with icmp-net-prohibited
> > 
> >     #allow established connections lan<->inet
> >     $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -d $LAN_NET -m
> state
> > --state ESTABLISHED -j ACCEPT
> > 
> >     #snat traffic from authenticated clients
> >     $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -d ! $LAN_NET -j sclient   
> 
> > 
> >     #do not dnat traffic from authenticated clients
> >     $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -j dclient
> > 
> >     #enable dnat to self for all web traffic
> >     for PORT in 80 443; do
> >         $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -p tcp
> --dport
> > $PORT -j DNAT --to $LAN_GW
> >     done
> > 
> >     #add default REJECT rule (just more polite than DROP)
> >     for CHAIN in INPUT OUTPUT FORWARD; do
> >         $IPTABLES -t filter -A $CHAIN -j REJECT;
> >     done
> >     return
> > 
> > }
> > 
> > add_usage() {
> >     echo "usage:"
> >     echo "$COMMAND add IP MAC"
> >     exit 1;
> > }
> > 
> > run_add() {
> >     [ "ff"$IP != "ff" ] || show_addclient_usage; [ "ff"$MAC != "ff" ] ||
> add_usage
> >     #add client
> >     
> >     $IPTABLES -t filter -A fclient -s $IP -m mac --mac-source $MAC -j
> ACCEPT   
> >         || fferror $?
> >     $IPTABLES -t nat    -A dclient -s $IP -m mac --mac-source $MAC -j
> ACCEPT   
> >         || fferror $?
> >     $IPTABLES -t nat    -A sclient -s $IP -d ! $LAN_NET -j SNAT --to
> $EXT_INT_IP
> >        || fferror $?
> >     echo "added Client: IP $IP MAC $MAC";
> >     return
> > }
> > 
> > del_usage() {
> >     echo "usage:"
> >     echo "$COMMAND del IP MAC"
> >     exit 1;
> > }
> > 
> > run_del() {
> >     [ "ff"$IP != "ff" ] || show_delClient_usage; [ "ff"$MAC != "ff" ] ||
> del_usage
> >     #delete client
> >     $IPTABLES -t filter -D fclient -s $IP -m mac --mac-source $MAC -j
> ACCEPT ||
> > fferror $?
> >     $IPTABLES -t nat -D dclient -s $IP -m mac --mac-source $MAC -j ACCEPT
> ||
> > fferror $?
> >     $IPTABLES -t nat -D sclient -s $IP -d ! $LAN_NET -j SNAT --to
> $EXT_INT_IP ||
> > fferror $?
> >     echo "removed Client: IP $IP MAC $MAC";
> >     return
> > }
> > 
> > #===========================
> > # Main 
> > #=========================== 
> > 
> > case "$ACTION" in
> >     reset ) reset_firewall;;
> >     add   ) run_add;;
> >     del   ) run_del;;
> >     *     ) show_usage;;
> > esac
> > 
> > exit
> > 



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Access control script for Public Library
  2005-03-31 22:54     ` mark
@ 2005-03-31 23:17       ` John A. Sullivan III
  2005-04-01  1:09         ` mark
  0 siblings, 1 reply; 6+ messages in thread
From: John A. Sullivan III @ 2005-03-31 23:17 UTC (permalink / raw)
  To: mark; +Cc: Netfilter users list

I did not take the time to really digest your post or rules (my
apologies - just very busy) but that is the first thing that came to
mind.  I've not used DansGuardian but I do know that my transparent
proxies failed until I realized I had not allowed internal traffic
passing on interface lo.  I suppose if you do a simple ifconfig or ip
link ls you'll see if your system uses lo or lo0.  Good luck - John

On Thu, 2005-03-31 at 17:54 -0500, mark@ehle.homelinux.org wrote:
> John - 
> 
> Thanks for your reply - most definately not silly, or off the cuff. I am a
> complete iptables nubie, so I will listen to anything. 
> 
> Actually, that is a part that I didn't change from the script that I am, well,
> borrowing. Might that be the reason that dansguardian hangs when I start it up?
> It did seem to me that it was not able to 'listen to itself', so to speak. 
> 
> Thanks again!
> 
> Mark Ehle
> Computer Support Librarian
> Willard Public Library 
> Battle Creek, Michigan 
> 
> Quoting "John A. Sullivan III" <jsullivan@opensourcedevel.com>:
> > This may be a silly, off the cuff reply, but, in your rules allowing
> > traffic within the gateway, do you want interface lo0 as you have
> > written or lo?
> > -- 
> > John A. Sullivan III
> > Open Source Development Corporation
> > +1 207-985-7880
> > jsullivan@opensourcedevel.com
> > 
> > If you would like to participate in the development of an open source
> > enterprise class network security management system, please visit
> > http://iscs.sourceforge.net
> > 
> > 
> 
> > On Thu, 2005-03-31 at 15:37 -0500, mark@ehle.homelinux.org wrote:
> > > Hello - 
> > > 
> > > I am a complete iptables newbie who is trying to re-write a wireless
> > hotspot
> > > script that I found on the net to control internet access for our library
> > patrons. 
> > > 
> > > I found the script at: 
> > > 
> > > http://www.feedface.com/folkert/study/hotspot/src/firewall.sh.txt
> > > 
> > > I am trying to re-write it so that I can use squid and dansguardian to
> > proxy and
> > > filter the web. I need it to transparently proxy. I have a system set up
> > now
> > > that uses squid to grant or deny access, but it can only block web access;
> > I my
> > > need is for a firewall that can block all network access so that a given
> > PC
> > > can't chat or play online games as well as surf the net after time has run
> > out.
> > > 
> > > The script, as far as I have gotten, works well. When I fire it up, my test
> > PC
> > > can't go anywhere except the sign up page (which it is redirected to no
> > matter
> > > what), and when I add the PC to the access list (by typing firewall.sh add
> > <ip>
> > > <mac>), that PC is able to surf. 
> > > 
> > > My problem comes in when I try to do the transparent proxy part. when I try
> > to
> > > add the rule: 
> > > iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports
> > 8080
> > > 
> > > To the script, it does not work, and dansguardian will not even start. I
> > have
> > > played around with various permutations of this rule, and have gotten
> > nowhere. 
> > > 
> > > Can anybody help? 
> > > 
> > > Thanks - 
> > > 
> > > Mark Ehle
> > > =======
> > > Following is the script (firewall.sh) as far as I have it:
> > > 
> > > #!/bin/bash
> > > 
> > >
> > ###############################################################################
> > > #   name: firewall.sh
> > > # author: Mark Ehle
> > > #   date: 03-30-05
> > > # with much thanks given to Folkert Saathoff at
> > http://www.feedface.com/folkert
> > >
> > ###############################################################################
> > > 
> > > #===========================
> > > # variables
> > > #===========================
> > > 
> > > # command-line arguments
> > > COMMAND=$0
> > > ACTION=$1
> > > IP=$2
> > > MAC=$3
> > > 
> > > # program locations
> > > IPTABLES=/sbin/iptables
> > > MODPROBE=/sbin/modprobe
> > > DEPMOD=/sbin/depmod
> > > 
> > > # Local Network variables
> > > LAN_GW="10.0.0.1"
> > > LAN_NET="10.0.0.0/8"
> > > LAN_INT="eth1"
> > > 
> > > # External network variables
> > > EXT_INT_IP="<insert external interface ip here>"
> > > EXT_INT="eth0"
> > > 
> > > #Name Server IP
> > > NS="insert Name server ip here"
> > > 
> > > #===========================
> > > # subroutines
> > > #===========================
> > > load_modules() {
> > >     $DEPMOD -a
> > >     for module in "ip_conntrack ip_tables iptable_filter iptable_mangle
> > > iptable_nat ipt_LOG ipt_limit ipt_MASQUERADE"; do
> > >         $MODPROBE $module 
> > >     done
> > >     return
> > > }
> > > 
> > > start_ip_forwarding() {
> > >     echo 1 > /proc/sys/net/ipv4/ip_forward
> > >     return
> > > }
> > > 
> > > show_usage()
> > > {
> > >     echo "usage:"
> > >     echo "$COMMAND reset"
> > >     echo "$COMMAND add IP MAC"
> > >     echo "$COMMAND del IP MAC"
> > >     exit 1;
> > > }
> > > 
> > > fferror()
> > > {
> > >     echo "^_^'"
> > >     echo "error setting netfilter: $ACTION"
> > >     exit 1
> > > }
> > > 
> > > flush_tables() {
> > >     for TABLE in filter nat mangle; do
> > >         for SWITCH in F X Z; do
> > >             $IPTABLES -t $TABLE -$SWITCH
> > >         done
> > >     done
> > >     return
> > > }
> > > 
> > > create_new_chains() {
> > >     #filter chain for accepting authenticated clients 
> > >     $IPTABLES -t filter -N fclient
> > >     #filter chain for not rerouting authenticated clients 
> > >     $IPTABLES -t nat -N dclient
> > >     #filter chain for routing from authenticated clients 
> > >     $IPTABLES -t nat -N sclient
> > >     
> > >     #default filter policy is DROP
> > >     $IPTABLES -t filter -P INPUT DROP
> > >     $IPTABLES -t filter -P OUTPUT DROP
> > >     $IPTABLES -t filter -P FORWARD DROP
> > > 
> > >     return
> > > }
> > > 
> > > reset_firewall() {
> > > 
> > >     load_modules
> > >     start_ip_forwarding
> > >     flush_tables
> > >     create_new_chains
> > > 
> > >     #allow all local traffic
> > >     $IPTABLES -t filter -A  INPUT -i lo0 -j ACCEPT
> > >     $IPTABLES -t filter -A OUTPUT -o lo0 -j ACCEPT
> > > 
> > >     #allow all icmp traffic self<->lan
> > >     $IPTABLES -t filter -A  INPUT -i $LAN_INT -s $LAN_NET -d $LAN_GW -p
> > icmp -j
> > > ACCEPT
> > >     $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p
> > icmp -j
> > > ACCEPT
> > > 
> > >     #allow all icmp traffic self<->inet
> > >     $IPTABLES -t filter -A  INPUT -i $EXT_INT -d $EXT_INT_IP -p icmp -j
> > ACCEPT
> > >     $IPTABLES -t filter -A OUTPUT -o $EXT_INT -s $EXT_INT_IP -p icmp -j
> > ACCEPT
> > > 
> > >     #allow dhcp traffic self<->lan
> > >     $IPTABLES -t filter -A  INPUT -i $LAN_INT -s 0.0.0.0/0 -d
> > 255.255.255.255 -p
> > > udp --dport 67:68 -j ACCEPT 
> > >     $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p
> > udp
> > > --sport 67:68 -j ACCEPT
> > > 
> > >     #allow all web traffic self<->lan
> > >     for PORT in 80 443; do
> > >         $IPTABLES -t filter -A  INPUT -i $LAN_INT -s $LAN_NET -d $LAN_GW -p
> > tcp
> > > --dport $PORT -j ACCEPT
> > >         $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p
> > tcp
> > > --sport $PORT -j ACCEPT
> > >     done
> > > 
> > >     #allow all ssh and smb traffic to/from self
> > >     for PORT in 22 139; do
> > >         $IPTABLES -t filter -A  INPUT -p tcp --dport $PORT -j ACCEPT
> > >         $IPTABLES -t filter -A OUTPUT -p tcp --sport $PORT -j ACCEPT
> > >     done
> > > 
> > >     # allow dns
> > >     $IPTABLES -t filter -A OUTPUT  -o $EXT_INT -s $EXT_INT_IP -d $NS -p
> > udp
> > > --dport 53 -j ACCEPT
> > >     $IPTABLES -t filter -A  INPUT  -i $EXT_INT -s $NS -d $EXT_INT_IP -p
> > udp
> > > --sport 53 -j ACCEPT
> > >     $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -d
> > $NS -p
> > > udp --dport 53 -j ACCEPT 
> > >     $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -s $NS -d
> > $LAN_NET -p
> > > udp --sport 53 -j ACCEPT 
> > > 
> > >     #enable source network address translation for dns
> > >     $IPTABLES -t nat -A POSTROUTING  -s $LAN_NET -p udp --dport 53 -d $NS
> > -o
> > > $EXT_INT -j SNAT --to $EXT_INT_IP
> > > 
> > >     #check for allowed clients -> inet
> > >     $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -j
> > fclient
> > >     #reject all other clients
> > >     $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -j
> > REJECT
> > > --reject-with icmp-net-prohibited
> > > 
> > >     #allow established connections lan<->inet
> > >     $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -d $LAN_NET -m
> > state
> > > --state ESTABLISHED -j ACCEPT
> > > 
> > >     #snat traffic from authenticated clients
> > >     $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -d ! $LAN_NET -j sclient   
> > 
> > > 
> > >     #do not dnat traffic from authenticated clients
> > >     $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -j dclient
> > > 
> > >     #enable dnat to self for all web traffic
> > >     for PORT in 80 443; do
> > >         $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -p tcp
> > --dport
> > > $PORT -j DNAT --to $LAN_GW
> > >     done
> > > 
> > >     #add default REJECT rule (just more polite than DROP)
> > >     for CHAIN in INPUT OUTPUT FORWARD; do
> > >         $IPTABLES -t filter -A $CHAIN -j REJECT;
> > >     done
> > >     return
> > > 
> > > }
> > > 
> > > add_usage() {
> > >     echo "usage:"
> > >     echo "$COMMAND add IP MAC"
> > >     exit 1;
> > > }
> > > 
> > > run_add() {
> > >     [ "ff"$IP != "ff" ] || show_addclient_usage; [ "ff"$MAC != "ff" ] ||
> > add_usage
> > >     #add client
> > >     
> > >     $IPTABLES -t filter -A fclient -s $IP -m mac --mac-source $MAC -j
> > ACCEPT   
> > >         || fferror $?
> > >     $IPTABLES -t nat    -A dclient -s $IP -m mac --mac-source $MAC -j
> > ACCEPT   
> > >         || fferror $?
> > >     $IPTABLES -t nat    -A sclient -s $IP -d ! $LAN_NET -j SNAT --to
> > $EXT_INT_IP
> > >        || fferror $?
> > >     echo "added Client: IP $IP MAC $MAC";
> > >     return
> > > }
> > > 
> > > del_usage() {
> > >     echo "usage:"
> > >     echo "$COMMAND del IP MAC"
> > >     exit 1;
> > > }
> > > 
> > > run_del() {
> > >     [ "ff"$IP != "ff" ] || show_delClient_usage; [ "ff"$MAC != "ff" ] ||
> > del_usage
> > >     #delete client
> > >     $IPTABLES -t filter -D fclient -s $IP -m mac --mac-source $MAC -j
> > ACCEPT ||
> > > fferror $?
> > >     $IPTABLES -t nat -D dclient -s $IP -m mac --mac-source $MAC -j ACCEPT
> > ||
> > > fferror $?
> > >     $IPTABLES -t nat -D sclient -s $IP -d ! $LAN_NET -j SNAT --to
> > $EXT_INT_IP ||
> > > fferror $?
> > >     echo "removed Client: IP $IP MAC $MAC";
> > >     return
> > > }
> > > 
> > > #===========================
> > > # Main 
> > > #=========================== 
> > > 
> > > case "$ACTION" in
> > >     reset ) reset_firewall;;
> > >     add   ) run_add;;
> > >     del   ) run_del;;
> > >     *     ) show_usage;;
> > > esac
> > > 
> > > exit
> > > 
> 
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Access control script for Public Library
  2005-03-31 23:17       ` John A. Sullivan III
@ 2005-04-01  1:09         ` mark
  0 siblings, 0 replies; 6+ messages in thread
From: mark @ 2005-04-01  1:09 UTC (permalink / raw)
  To: Netfilter users list

John - 

I made that change (lo0 -> lo), and while I can't test it fully as I'm at home 
and can only ssh into the proxy, dansguardian does now load correctly. I will 
know more when I get to work tomorrow, but it looks like a step in the right 
direction. I'm surprised that iptables did not complain.

Thanks! You da man!

Mark


Quoting "John A. Sullivan III" <jsullivan@opensourcedevel.com>:

> I did not take the time to really digest your post or rules (my
> apologies - just very busy) but that is the first thing that came to
> mind.  I've not used DansGuardian but I do know that my transparent
> proxies failed until I realized I had not allowed internal traffic
> passing on interface lo.  I suppose if you do a simple ifconfig or ip
> link ls you'll see if your system uses lo or lo0.  Good luck - John
> 
> On Thu, 2005-03-31 at 17:54 -0500, mark@ehle.homelinux.org wrote:
> > John - 
> > 
> > Thanks for your reply - most definately not silly, or off the cuff. I am
> a
> > complete iptables nubie, so I will listen to anything. 
> > 
> > Actually, that is a part that I didn't change from the script that I am,
> well,
> > borrowing. Might that be the reason that dansguardian hangs when I start it
> up?
> > It did seem to me that it was not able to 'listen to itself', so to speak.
> 
> > 
> > Thanks again!
> > 
> > Mark Ehle
> > Computer Support Librarian
> > Willard Public Library 
> > Battle Creek, Michigan 
> > 
> > Quoting "John A. Sullivan III" <jsullivan@opensourcedevel.com>:
> > > This may be a silly, off the cuff reply, but, in your rules allowing
> > > traffic within the gateway, do you want interface lo0 as you have
> > > written or lo?
> > > -- 
> > > John A. Sullivan III
> > > Open Source Development Corporation
> > > +1 207-985-7880
> > > jsullivan@opensourcedevel.com
> > > 
> > > If you would like to participate in the development of an open source
> > > enterprise class network security management system, please visit
> > > http://iscs.sourceforge.net
> > > 
> > > 
> > 
> > > On Thu, 2005-03-31 at 15:37 -0500, mark@ehle.homelinux.org wrote:
> > > > Hello - 
> > > > 
> > > > I am a complete iptables newbie who is trying to re-write a wireless
> > > hotspot
> > > > script that I found on the net to control internet access for our
> library
> > > patrons. 
> > > > 
> > > > I found the script at: 
> > > > 
> > > > http://www.feedface.com/folkert/study/hotspot/src/firewall.sh.txt
> > > > 
> > > > I am trying to re-write it so that I can use squid and dansguardian
> to
> > > proxy and
> > > > filter the web. I need it to transparently proxy. I have a system set
> up
> > > now
> > > > that uses squid to grant or deny access, but it can only block web
> access;
> > > I my
> > > > need is for a firewall that can block all network access so that a
> given
> > > PC
> > > > can't chat or play online games as well as surf the net after time has
> run
> > > out.
> > > > 
> > > > The script, as far as I have gotten, works well. When I fire it up, my
> test
> > > PC
> > > > can't go anywhere except the sign up page (which it is redirected to
> no
> > > matter
> > > > what), and when I add the PC to the access list (by typing firewall.sh
> add
> > > <ip>
> > > > <mac>), that PC is able to surf. 
> > > > 
> > > > My problem comes in when I try to do the transparent proxy part. when I
> try
> > > to
> > > > add the rule: 
> > > > iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT
> --to-ports
> > > 8080
> > > > 
> > > > To the script, it does not work, and dansguardian will not even start.
> I
> > > have
> > > > played around with various permutations of this rule, and have gotten
> > > nowhere. 
> > > > 
> > > > Can anybody help? 
> > > > 
> > > > Thanks - 
> > > > 
> > > > Mark Ehle
> > > > =======
> > > > Following is the script (firewall.sh) as far as I have it:
> > > > 
> > > > #!/bin/bash
> > > > 
> > > >
> > >
> 
###############################################################################
> > > > #   name: firewall.sh
> > > > # author: Mark Ehle
> > > > #   date: 03-30-05
> > > > # with much thanks given to Folkert Saathoff at
> > > http://www.feedface.com/folkert
> > > >
> > >
> 
###############################################################################
> > > > 
> > > > #===========================
> > > > # variables
> > > > #===========================
> > > > 
> > > > # command-line arguments
> > > > COMMAND=$0
> > > > ACTION=$1
> > > > IP=$2
> > > > MAC=$3
> > > > 
> > > > # program locations
> > > > IPTABLES=/sbin/iptables
> > > > MODPROBE=/sbin/modprobe
> > > > DEPMOD=/sbin/depmod
> > > > 
> > > > # Local Network variables
> > > > LAN_GW="10.0.0.1"
> > > > LAN_NET="10.0.0.0/8"
> > > > LAN_INT="eth1"
> > > > 
> > > > # External network variables
> > > > EXT_INT_IP="<insert external interface ip here>"
> > > > EXT_INT="eth0"
> > > > 
> > > > #Name Server IP
> > > > NS="insert Name server ip here"
> > > > 
> > > > #===========================
> > > > # subroutines
> > > > #===========================
> > > > load_modules() {
> > > >     $DEPMOD -a
> > > >     for module in "ip_conntrack ip_tables iptable_filter
> iptable_mangle
> > > > iptable_nat ipt_LOG ipt_limit ipt_MASQUERADE"; do
> > > >         $MODPROBE $module 
> > > >     done
> > > >     return
> > > > }
> > > > 
> > > > start_ip_forwarding() {
> > > >     echo 1 > /proc/sys/net/ipv4/ip_forward
> > > >     return
> > > > }
> > > > 
> > > > show_usage()
> > > > {
> > > >     echo "usage:"
> > > >     echo "$COMMAND reset"
> > > >     echo "$COMMAND add IP MAC"
> > > >     echo "$COMMAND del IP MAC"
> > > >     exit 1;
> > > > }
> > > > 
> > > > fferror()
> > > > {
> > > >     echo "^_^'"
> > > >     echo "error setting netfilter: $ACTION"
> > > >     exit 1
> > > > }
> > > > 
> > > > flush_tables() {
> > > >     for TABLE in filter nat mangle; do
> > > >         for SWITCH in F X Z; do
> > > >             $IPTABLES -t $TABLE -$SWITCH
> > > >         done
> > > >     done
> > > >     return
> > > > }
> > > > 
> > > > create_new_chains() {
> > > >     #filter chain for accepting authenticated clients 
> > > >     $IPTABLES -t filter -N fclient
> > > >     #filter chain for not rerouting authenticated clients 
> > > >     $IPTABLES -t nat -N dclient
> > > >     #filter chain for routing from authenticated clients 
> > > >     $IPTABLES -t nat -N sclient
> > > >     
> > > >     #default filter policy is DROP
> > > >     $IPTABLES -t filter -P INPUT DROP
> > > >     $IPTABLES -t filter -P OUTPUT DROP
> > > >     $IPTABLES -t filter -P FORWARD DROP
> > > > 
> > > >     return
> > > > }
> > > > 
> > > > reset_firewall() {
> > > > 
> > > >     load_modules
> > > >     start_ip_forwarding
> > > >     flush_tables
> > > >     create_new_chains
> > > > 
> > > >     #allow all local traffic
> > > >     $IPTABLES -t filter -A  INPUT -i lo0 -j ACCEPT
> > > >     $IPTABLES -t filter -A OUTPUT -o lo0 -j ACCEPT
> > > > 
> > > >     #allow all icmp traffic self<->lan
> > > >     $IPTABLES -t filter -A  INPUT -i $LAN_INT -s $LAN_NET -d $LAN_GW
> -p
> > > icmp -j
> > > > ACCEPT
> > > >     $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET
> -p
> > > icmp -j
> > > > ACCEPT
> > > > 
> > > >     #allow all icmp traffic self<->inet
> > > >     $IPTABLES -t filter -A  INPUT -i $EXT_INT -d $EXT_INT_IP -p icmp
> -j
> > > ACCEPT
> > > >     $IPTABLES -t filter -A OUTPUT -o $EXT_INT -s $EXT_INT_IP -p icmp
> -j
> > > ACCEPT
> > > > 
> > > >     #allow dhcp traffic self<->lan
> > > >     $IPTABLES -t filter -A  INPUT -i $LAN_INT -s 0.0.0.0/0 -d
> > > 255.255.255.255 -p
> > > > udp --dport 67:68 -j ACCEPT 
> > > >     $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET
> -p
> > > udp
> > > > --sport 67:68 -j ACCEPT
> > > > 
> > > >     #allow all web traffic self<->lan
> > > >     for PORT in 80 443; do
> > > >         $IPTABLES -t filter -A  INPUT -i $LAN_INT -s $LAN_NET -d
> $LAN_GW -p
> > > tcp
> > > > --dport $PORT -j ACCEPT
> > > >         $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d
> $LAN_NET -p
> > > tcp
> > > > --sport $PORT -j ACCEPT
> > > >     done
> > > > 
> > > >     #allow all ssh and smb traffic to/from self
> > > >     for PORT in 22 139; do
> > > >         $IPTABLES -t filter -A  INPUT -p tcp --dport $PORT -j ACCEPT
> > > >         $IPTABLES -t filter -A OUTPUT -p tcp --sport $PORT -j ACCEPT
> > > >     done
> > > > 
> > > >     # allow dns
> > > >     $IPTABLES -t filter -A OUTPUT  -o $EXT_INT -s $EXT_INT_IP -d $NS
> -p
> > > udp
> > > > --dport 53 -j ACCEPT
> > > >     $IPTABLES -t filter -A  INPUT  -i $EXT_INT -s $NS -d $EXT_INT_IP
> -p
> > > udp
> > > > --sport 53 -j ACCEPT
> > > >     $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET
> -d
> > > $NS -p
> > > > udp --dport 53 -j ACCEPT 
> > > >     $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -s $NS -d
> > > $LAN_NET -p
> > > > udp --sport 53 -j ACCEPT 
> > > > 
> > > >     #enable source network address translation for dns
> > > >     $IPTABLES -t nat -A POSTROUTING  -s $LAN_NET -p udp --dport 53 -d
> $NS
> > > -o
> > > > $EXT_INT -j SNAT --to $EXT_INT_IP
> > > > 
> > > >     #check for allowed clients -> inet
> > > >     $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET
> -j
> > > fclient
> > > >     #reject all other clients
> > > >     $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET
> -j
> > > REJECT
> > > > --reject-with icmp-net-prohibited
> > > > 
> > > >     #allow established connections lan<->inet
> > > >     $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -d $LAN_NET
> -m
> > > state
> > > > --state ESTABLISHED -j ACCEPT
> > > > 
> > > >     #snat traffic from authenticated clients
> > > >     $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -d ! $LAN_NET -j
> sclient   
> > > 
> > > > 
> > > >     #do not dnat traffic from authenticated clients
> > > >     $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -j
> dclient
> > > > 
> > > >     #enable dnat to self for all web traffic
> > > >     for PORT in 80 443; do
> > > >         $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -p
> tcp
> > > --dport
> > > > $PORT -j DNAT --to $LAN_GW
> > > >     done
> > > > 
> > > >     #add default REJECT rule (just more polite than DROP)
> > > >     for CHAIN in INPUT OUTPUT FORWARD; do
> > > >         $IPTABLES -t filter -A $CHAIN -j REJECT;
> > > >     done
> > > >     return
> > > > 
> > > > }
> > > > 
> > > > add_usage() {
> > > >     echo "usage:"
> > > >     echo "$COMMAND add IP MAC"
> > > >     exit 1;
> > > > }
> > > > 
> > > > run_add() {
> > > >     [ "ff"$IP != "ff" ] || show_addclient_usage; [ "ff"$MAC != "ff" ]
> ||
> > > add_usage
> > > >     #add client
> > > >     
> > > >     $IPTABLES -t filter -A fclient -s $IP -m mac --mac-source $MAC -j
> > > ACCEPT   
> > > >         || fferror $?
> > > >     $IPTABLES -t nat    -A dclient -s $IP -m mac --mac-source $MAC -j
> > > ACCEPT   
> > > >         || fferror $?
> > > >     $IPTABLES -t nat    -A sclient -s $IP -d ! $LAN_NET -j SNAT --to
> > > $EXT_INT_IP
> > > >        || fferror $?
> > > >     echo "added Client: IP $IP MAC $MAC";
> > > >     return
> > > > }
> > > > 
> > > > del_usage() {
> > > >     echo "usage:"
> > > >     echo "$COMMAND del IP MAC"
> > > >     exit 1;
> > > > }
> > > > 
> > > > run_del() {
> > > >     [ "ff"$IP != "ff" ] || show_delClient_usage; [ "ff"$MAC != "ff" ]
> ||
> > > del_usage
> > > >     #delete client
> > > >     $IPTABLES -t filter -D fclient -s $IP -m mac --mac-source $MAC -j
> > > ACCEPT ||
> > > > fferror $?
> > > >     $IPTABLES -t nat -D dclient -s $IP -m mac --mac-source $MAC -j
> ACCEPT
> > > ||
> > > > fferror $?
> > > >     $IPTABLES -t nat -D sclient -s $IP -d ! $LAN_NET -j SNAT --to
> > > $EXT_INT_IP ||
> > > > fferror $?
> > > >     echo "removed Client: IP $IP MAC $MAC";
> > > >     return
> > > > }
> > > > 
> > > > #===========================
> > > > # Main 
> > > > #=========================== 
> > > > 
> > > > case "$ACTION" in
> > > >     reset ) reset_firewall;;
> > > >     add   ) run_add;;
> > > >     del   ) run_del;;
> > > >     *     ) show_usage;;
> > > > esac
> > > > 
> > > > exit
> > > > 
> > 
> > 
> -- 
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan@opensourcedevel.com
> 
> Financially sustainable open source development
> http://www.opensourcedevel.com
> 
> 





^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2005-04-01  1:09 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-03-31 18:42 Ipables and arpd. Any help is appreciated Jeffrey B. Murphy
2005-03-31 20:37 ` Access control script for Public Library mark
2005-03-31 21:01   ` John A. Sullivan III
2005-03-31 22:54     ` mark
2005-03-31 23:17       ` John A. Sullivan III
2005-04-01  1:09         ` mark

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.