[LARTC] Redirecting wayward traffic

[LARTC] Redirecting wayward traffic

[David Talbot]

I'm working on getting my firewall machine to display a message to my users
any time they wander off of the OK'd list.

The problem is when I have the line at the bottom labeled the problem line,
it redirects all port 80 requests to the local machine without allowing the
ones on the OK'd list out. When that line is commented out the script works
perfectly. When a user types in amazon.com, they get amazon.com, when they
type in hotsheep.com thier browser times out.  Anyone have any ideas how I
can just redirect the traffic that falls outside the wall to go back to the
local webserver to recieve a proper error message?

I know the problem lies in the use of DNAT in PREROUTING happening before
the denial items, but I couldn't find a postrouting way to do it... experts
help! :)

Basically What I've got is:

eth0 is the  internet exposed side, eth1 is the internal (10.0.0.1) (Public
IP's blocked over)

iptables -F
iptables -F -t nat
iptables -X

iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -d localhost -j ACCEPT
iptables -A FORWARD -d 10.0.0.1 -j ACCEPT

#ENABLE EVERYONE ACCESS TO THE DNS SERVER
iptables -t nat -A POSTROUTING -o eth0 -d 209.XXX.XXX.XXX -j MASQUERADE
iptables -A FORWARD -d 209.XXX.XXX.XXX -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 209.XXX.XXX.XXX -j MASQUERADE
iptables -A FORWARD -s 209.XXX.XXX.XXX -j ACCEPT


#ENABLE EVERYONE ACCESS TO THE INTERNAL SIDE OF THIS MACHINE
iptables -t nat -A POSTROUTING -o eth1 -d 10.0.01 -j MASQUERADE
iptables -A FORWARD -d 10.0.01 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -s 10.0.01 -j MASQUERADE
iptables -A FORWARD -s 10.0.01 -j ACCEPT


#ENABLE ACCESS TO amazon.com
iptables -t nat -A POSTROUTING -o eth0 -d amazon.com -j MASQUERADE
iptables -A FORWARD -d amazon.com -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s amazon.com -j MASQUERADE
iptables -A FORWARD -s amazon.com -j ACCEPT
#END OF ENABLE ACCESS TO amazon.com


#IF THEY STEP OUT OF THE WALL AND THEY'RE BROWSING, REDIRECT THEM TO THE
LOCAL
#THAT HAS ONLY A 404 ERROR SET TO DISPLAY A PAGE THAT SAYS THEY CAN ONLY GET
TO AMAZON

#THIS IS THE PROBLEM LINE
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1
#THIS IS THE PROBLEM LINE


iptables -A INPUT -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A FORWARD -j DROP


Thanks in advance!

-David Talbot


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Redirecting wayward traffic

[Adrian Chung]

On Tue, Jun 05, 2001 at 08:09:41AM -0500, David Talbot wrote:
> #THIS IS THE PROBLEM LINE
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1
> #THIS IS THE PROBLEM LINE

I tried this on my 2.4.5 box, and it works just fine -- as long as the
--to <address> isn't the same box I'm attempting to connect from.
IOW, as long as the webserver isn't on the same box I'm attempting to
browse outside the firewall with.

When I tried to DNAT to the same box I was running lynx on, I just got
a timeout.  When I switched to DNAT to a different box, all requests
went there properly.

--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[rogue.enfusion-group.com] up 28 days, 22:07, 2 users


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

RE: [LARTC] Redirecting wayward traffic

[David Talbot]

I tried what you suggested (Changing the destination to a different box) and
it still does it to all the requests.

The goal of the firewall setting is to allow access only to a few specific
sites (in the case of the example provided amazon.com should be the only URL
the users can get to) and all other sites should go to an internal webserver
to tell them that they can't get to the site they're trying to go to. Does
this make sense? Is there any way to do the DNAT only when it's not on the
access list? (It's actually more like 100 sites I want the users to have
access to, I narrowed down the script a bit for the example).

Any ideas? This one has been killing me for awhile... I know it's possible
because I've seen networks that behave like this.

Help me out with this and you'll be my hero!

-David Talbot

-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
Behalf Of Adrian Chung
Sent: Tuesday, June 05, 2001 9:56 AM
To: David Talbot
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Redirecting wayward traffic


On Tue, Jun 05, 2001 at 08:09:41AM -0500, David Talbot wrote:
> #THIS IS THE PROBLEM LINE
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1
> #THIS IS THE PROBLEM LINE

I tried this on my 2.4.5 box, and it works just fine -- as long as the
--to <address> isn't the same box I'm attempting to connect from.
IOW, as long as the webserver isn't on the same box I'm attempting to
browse outside the firewall with.

When I tried to DNAT to the same box I was running lynx on, I just got
a timeout.  When I switched to DNAT to a different box, all requests
went there properly.

--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[rogue.enfusion-group.com] up 28 days, 22:07, 2 users


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Redirecting wayward traffic

[Juri Haberland]

David Talbot wrote:
> 
> I tried what you suggested (Changing the destination to a different box) and
> it still does it to all the requests.
> 
> The goal of the firewall setting is to allow access only to a few specific
> sites (in the case of the example provided amazon.com should be the only URL
> the users can get to) and all other sites should go to an internal webserver
> to tell them that they can't get to the site they're trying to go to. Does
> this make sense? Is there any way to do the DNAT only when it's not on the
> access list? (It's actually more like 100 sites I want the users to have
> access to, I narrowed down the script a bit for the example).
> 
> Any ideas? This one has been killing me for awhile... I know it's possible
> because I've seen networks that behave like this.

What about denying the direct access completely and use Squid as a
transparent proxy. Then you don't need a seperate web server for the
error page because Squid can generate customized error messages itself.
And you can work not only based on IP addresses but also with regex for
the URLs that you want to deny (or allow - it's up to you).

Juri

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Redirecting wayward traffic

[Adrian Chung]

On Tue, Jun 05, 2001 at 08:09:41AM -0500, David Talbot wrote:
> #THIS IS THE PROBLEM LINE
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1
> #THIS IS THE PROBLEM LINE

I think I know what the problem is.

Before that though, Juri is right in saying that this is more easily
and effectively achieved using Squid, but, that being said...

You're trying to do DNAT onto the same network.  You change the
destination IP of the packets back onto the local network, but when
they hit 10.0.0.1 they look like they came from the external IP of
your router, and so they get dropped.

Look at:

http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-10.html

Try adding:

iptables -t nat -A POSTROUTING -p tcp -s <yourLAN> -d 10.0.0.1 --dport
80 -j SNAT --to <NATboxIP>

It worked for me, but I had to do some other fiddling because I'm also
doing policy based (source) routing, and so my setup might not quite
be the same as yours, but it's worth a try.

If you use tcpdump, you should see packets hitting 10.0.0.1 from a
non-LAN IP.

--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[rogue.enfusion-group.com] up 28 days, 23:15, 3 users


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

RE: [LARTC] Redirecting wayward traffic

[David Talbot]

I may just do that (god knows it would make the walling process easier to be
able to use reg exps), but before I do let me explain the overall problem.

If I do the transparent proxy I would want it done to all addresses except
the ones on my explicit list. For example:

I want 10.0.1.1 and 10.1.250.1 to have full unrestricted access to the
internet including FTP, Kazaa, etc.
All other IPS I want to only be able to use port 80 (web) through the
transparent proxy. The proxy I would configure to use the walled ACLs so all
these people have access to is amazon.com.

Is that possible? With the transparent proxy iptables settings I've seen so
far the transparent proxy applies to everyone when it is done. How can I
make it so people on my unfettered access list don't get piped through the
proxy?

-David Talbot

-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
Behalf Of Juri Haberland
Sent: Tuesday, June 05, 2001 10:48 AM
To: dtalbot@reallinx.com
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Redirecting wayward traffic


David Talbot wrote:
>
> I tried what you suggested (Changing the destination to a different box)
and
> it still does it to all the requests.
>
> The goal of the firewall setting is to allow access only to a few specific
> sites (in the case of the example provided amazon.com should be the only
URL
> the users can get to) and all other sites should go to an internal
webserver
> to tell them that they can't get to the site they're trying to go to. Does
> this make sense? Is there any way to do the DNAT only when it's not on the
> access list? (It's actually more like 100 sites I want the users to have
> access to, I narrowed down the script a bit for the example).
>
> Any ideas? This one has been killing me for awhile... I know it's possible
> because I've seen networks that behave like this.

What about denying the direct access completely and use Squid as a
transparent proxy. Then you don't need a seperate web server for the
error page because Squid can generate customized error messages itself.
And you can work not only based on IP addresses but also with regex for
the URLs that you want to deny (or allow - it's up to you).

Juri

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Redirecting wayward traffic

[Adrian Chung]

On Tue, Jun 05, 2001 at 11:20:30AM -0500, David Talbot wrote:
> I want 10.0.1.1 and 10.1.250.1 to have full unrestricted access to the
> internet including FTP, Kazaa, etc.
> All other IPS I want to only be able to use port 80 (web) through the
> transparent proxy. The proxy I would configure to use the walled ACLs so all
> these people have access to is amazon.com.
> 
> Is that possible? With the transparent proxy iptables settings I've seen so
> far the transparent proxy applies to everyone when it is done. How can I
> make it so people on my unfettered access list don't get piped through the
> proxy?

You can do this by transparent proxying the entire 10.0.0.0 network,
then inserting rules above this for the special cases, that just
'ACCEPTS' them:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -I PREROUTING -i eth0 -p tcp -s 10.0.1.1 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp -s 10.1.250.1 -j ACCEPT

This is assuming the proxy server is on the NAT box, if not, you'll
have to adjust the first rule.

This will allow traffic from 10.0.1.1 and 10.1.250.1 straight through,
and transparently proxy everything else.

--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[rogue.enfusion-group.com] up 28 days, 23:48, 3 users


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Redirecting wayward traffic

[Juri Haberland]

David Talbot wrote:
> 
> I may just do that (god knows it would make the walling process easier to be
> able to use reg exps), but before I do let me explain the overall problem.
> 
> If I do the transparent proxy I would want it done to all addresses except
> the ones on my explicit list. For example:
> 
> I want 10.0.1.1 and 10.1.250.1 to have full unrestricted access to the
> internet including FTP, Kazaa, etc.
> All other IPS I want to only be able to use port 80 (web) through the
> transparent proxy. The proxy I would configure to use the walled ACLs so all
> these people have access to is amazon.com.
> 
> Is that possible? With the transparent proxy iptables settings I've seen so
> far the transparent proxy applies to everyone when it is done. How can I
> make it so people on my unfettered access list don't get piped through the
> proxy?

Sure, should be no problem using iptables:
First allow 10.0.1.1 and 10.1.250.1 access to the required services
(www, ftp) and then use a rule that redirects all traffic to port 80 to
your proxy. After that put a rule that denies everything. So your other
clients can only access port 80 via the proxy and nothing more whereas
those special clients have full access without going via the proxy.

That should be it (or have I overlooked something?).

Juri

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

RE: [LARTC] Redirecting wayward traffic

[David Talbot]

Just to keep google fed with good information I'll summerize what worked:

You were dead on with the way to redirect the ports to only transparent
proxy specific ip addresses , and dead on that I should use squid to do the
actual proxying instead of putting it all through iptables. The start up
time for my script before (WHen it was all iptables) was areound a minute,
now between restarting squid and re-applying the iptables it's less than a
second!

The last thing that I had to do to bring all this together to make it work
(Thanks Thomas Veldhouse) was make some minor modifications to my squid
configuration to get it to accept iptables based port redirection as a
transparent squid proxy:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Thank you all you gurus of network infrastructure, it took 4 sepearate
points of view, but it came together :)

-David Talbot

-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
Behalf Of Adrian Chung
Sent: Tuesday, June 05, 2001 11:40 AM
To: David Talbot
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Redirecting wayward traffic


On Tue, Jun 05, 2001 at 11:20:30AM -0500, David Talbot wrote:
> I want 10.0.1.1 and 10.1.250.1 to have full unrestricted access to the
> internet including FTP, Kazaa, etc.
> All other IPS I want to only be able to use port 80 (web) through the
> transparent proxy. The proxy I would configure to use the walled ACLs so
all
> these people have access to is amazon.com.
>
> Is that possible? With the transparent proxy iptables settings I've seen
so
> far the transparent proxy applies to everyone when it is done. How can I
> make it so people on my unfettered access list don't get piped through the
> proxy?

You can do this by transparent proxying the entire 10.0.0.0 network,
then inserting rules above this for the special cases, that just
'ACCEPTS' them:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-port 3128
iptables -t nat -I PREROUTING -i eth0 -p tcp -s 10.0.1.1 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp -s 10.1.250.1 -j ACCEPT

This is assuming the proxy server is on the NAT box, if not, you'll
have to adjust the first rule.

This will allow traffic from 10.0.1.1 and 10.1.250.1 straight through,
and transparently proxy everything else.

--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[rogue.enfusion-group.com] up 28 days, 23:48, 3 users


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/