From: <tom@then.fr>
To: netfilter@vger.kernel.org
Subject: NAT, DROP and walled-gardens (~= captive portal)
Date: Tue, 15 Jan 2013 14:13:39 +1000 [thread overview]
Message-ID: <bad08547704464d914a571f252e59c40@localhost> (raw)
Hey guys,
*Problem*
I've just hit the deprecation of DROP in the NAT tables.
iptables v1.4.7:
The "nat" table is not intended for filtering, the use of DROP is
therefore inhibited.
*Context*
- I have a Centos 6.3 acting as router and running iptables.
- It routes traffic in and out.
- It also has different 'walled-gardens' which restrict a source
IP(s).
- An IP in a 'walled-garden' has for intance the following
restrictions:
* Access to a limited set of servers (in house or on the Net).
* Access to DNS servers
* Port 80 rewritten to a default server
* Drop all the rest of the traffic
- I have different kind of gardens with different set of rules to
restrict IPs (users). A garden must have a default policy set to drop.
- The IP (user) are added and removed from a garden by a software
using iptables.
With our old Centos4 I was using the following which worked fine:
- Example of a walled-garden definition:
/sbin/iptables -t nat -N garden
/sbin/iptables -t nat -A garden -p udp -m udp --dport 53 -j DNAT --to
1.1.1.1
/sbin/iptables -t nat -A garden -p tcp -m tcp -d 3.3.3.3 -j ACCEPT
/sbin/iptables -t nat -A garden -p tcp -m tcp --dport 80 -j DNAT --to
80.80.80.80
/sbin/iptables -t nat -A garden -j DROP
- Definition of the chain where the software will put users in:
/sbin/iptables -t nat -N garden_users
/sbin/iptables -t nat -A PREROUTING -j garden_users
- Add or remove a user in a garden via software with :
/sbin/iptables -t nat -A garden_users -s IP.TO.GAR.DEN -j garden
/sbin/iptables -t nat -D garden_users -s IP.TO.GAR.DEN -j garden
*Question*
Now, as you know we cannot DROP anymore in a NAT table. Therefore my
gardens are useless because I cannot drop at the end anymore. For the
moment I really don't see how I can easily have the same behaviour than
before. I can see a possible solution with more chains that would
involve the software to iptables -A to different chains which I'd like
to avoid :)
I'd like to have your insights first to see if there is something
obvious I cannot see or not fully understanding.
Any ideas are welcome.
Thomas
next reply other threads:[~2013-01-15 4:13 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-15 4:13 tom [this message]
-- strict thread matches above, loose matches on Subject: below --
2013-01-15 6:31 NAT, DROP and walled-gardens (~= captive portal) Neal Murphy
2013-01-15 11:18 ` Tom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bad08547704464d914a571f252e59c40@localhost \
--to=tom@then.fr \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.