From: Bracey Summers <bcsummers@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Dynamic Nat rules
Date: Wed, 19 Jan 2005 08:49:10 -0600 [thread overview]
Message-ID: <a4384574050119064978cdb9d0@mail.gmail.com> (raw)
I am new to iptables and need some guidance. I have done a good bit
of reading over the past few days and have learned much. With this
knowledge I have come up with a solution for my task, but am not
convinced that it is the most efficient approach. I was hoping that I
could get some guidance from someone who is more knowledgeable.
My Setup:
Red Hat ES3
uname -r = 2.4.21-20.0.1.ELsmp
iptables -V = iptables v1.2.8
ip -V = ip utility, iproute2-ss010824
Dual NIC server
eth1 - To Router (internet)
eth0 - Internal public space IP range
The Task:
Block all traffic from the internal interface except port 80/443.
Forward 80/443 to my web server which will have a rewrite rule. The
user will then be shown a web page for authentication. Once the user
is validated they will be granted outbound access for a specified time
period (on most ports).
For my test setup I did not have public IP space to play with so I
created a private network (192.168.0.0). I then created the following
rule to get access to the external network.
MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to external_network
This is the part that I am not to sure about.
NAT - [One entry for each ip address]
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.2 -i eth0 --d 0/0
--dport 80,443 -j DNAT --to my_web_server
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.3 -i eth0 --d 0/0
--dport 80,443 -j DNAT --to my_web_server
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.4 -i eth0 --d 0/0
--dport 80,443 -j DNAT --to my_web_server
...
This rule should forward all internal web/ssl traffic to my web
server. I tested a command that was a similar and it worked.
Now the problem –
If I had 500 internal IP addresses I would have to create a NAT for
each one of them. Once the user authenticated I would have to remove
the NAT for that users IP for a specified time period. Then I would
have to create a filter to allow outbound access to the ports that I
wanted to allow for that IP. After their time has expired I would
have to add the NAT back and delete the filter rule. This seems like
it would work, but it is a lot of management. I tried to just make
one NAT to forward any internal IP address on port 80/443 to my web
server and that worked until the user authenticated. Once the user
was authenticated I had no way of getting around the NAT rule for
80/443. If I understand what I have been reading correctly the NAT
PREROUTING rule is evaluated first. Therefore there is not way for me
to allow an ip address in my internal network range to bypass this
rule.
Any guidance is appreciated.
--
Bracey Summers
next reply other threads:[~2005-01-19 14:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-19 14:49 Bracey Summers [this message]
2005-01-21 15:16 ` Dynamic Nat rules Jorge Dávila
2005-01-21 15:59 ` Jason Opperisano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a4384574050119064978cdb9d0@mail.gmail.com \
--to=bcsummers@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.