From: Michael <micolous@gmail.com>
To: netfilter@vger.kernel.org
Subject: PREROUTING table and quota
Date: Thu, 13 Nov 2008 22:45:53 +1030 [thread overview]
Message-ID: <1226578553.8310.40.camel@localhost.localdomain> (raw)
Howdy,
I'm having some issues using the quota module in the PREROUTING table.
I'm trying to write a captive portal software, and a requirement of it
is to have the client be automatically redirected to a login page on
HTTP requests where the user has no quota remaining or isn't logged in,
and it is not a request to a "free" site.
The firewall is being rewritten by a daemon which the web frontend
connects to. On startup, the daemon sets up a basic NAT and all the
standard rules, then when a user logs in the webpage connects to the
daemon and issues commands like "add computer at <ip> <mac> to userid
<n>". The daemon is fairly dumb and doesn't retain any state data -
it's only there to insulate the web server and application from
requiring root.
As far as I can tell, not all packets are actually hitting my quota
rules. Instead only new connections seem to be managed correctly -
subsequent and return packets are unaffected, and thus uncounted.
The rules are a bit messy, what I'm trying to achieve and the ordering
is:
1. p2_unmetered: Unmetered/free locations are sent to the
p2_allowed chain.
2. p2_blacklist: Blacklisted locations are sent to the p2_captive
chain.
3. p2_users: Maps a host to a user chain (p2u_*). This allows one
user to be signed on from many hosts.
4. p2_captive: All unhandled traffic is sent to this chain.
In p2_allowed:
* All traffic is allowed through.
In p2_captive:
* All tcp traffic on port 80 to be redirected to the local port
998 (which is a small web server that redirects users to the
captive portal login page)
* All tcp traffic on other ports are redirected to the local port
997
* All icmp traffic is redirected to the local machine
* All other traffic is dropped
In p2u_*:
* If there is enough quota for the packet, it is sent to
p2_allowed, and the size of the packet is subtracted from the
quota.
* If there is insufficient quota, it should not end processing
(and goto p2_captive)
The network setup:
eth0 (172.20.0.147): The external interface on the gateway.
eth1 (10.13.37.3): The internal interface on the gateway.
10.13.37.254: A client PC I'm using for testing.
Here is a dump of my iptables rules:
# Generated by iptables-save v1.3.6 on Thu Nov 13 21:22:03 2008
*filter
:INPUT ACCEPT [2765:294789]
:FORWARD ACCEPT [77631:59364457]
:OUTPUT ACCEPT [3210:423042]
COMMIT
# Completed on Thu Nov 13 21:22:03 2008
# Generated by iptables-save v1.3.6 on Thu Nov 13 21:22:03 2008
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [750:56421]
:OUTPUT ACCEPT [907:68008]
:p2_allowed - [0:0]
:p2_blacklist - [0:0]
:p2_captive - [0:0]
:p2_hosts - [0:0]
:p2_unmetered - [0:0]
:p2u_12 - [0:0]
-A PREROUTING -j p2_unmetered
-A PREROUTING -j p2_blacklist
-A PREROUTING -j p2_hosts
-A PREROUTING -j p2_captive
-A POSTROUTING -o eth0 -j MASQUERADE
-A p2_allowed -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A p2_allowed -i eth1 -j ACCEPT
-A p2_blacklist -d 192.168.0.0/255.255.0.0 -j p2_captive
-A p2_captive -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 998
-A p2_captive -p tcp -j REDIRECT --to-ports 997
-A p2_captive -p icmp -j REDIRECT
-A p2_captive -j DROP
-A p2_hosts -s 10.13.37.254 -i eth1 -m mac --mac-source
00:02:XX:XX:XX:XX -j p2u_12
-A p2_hosts -d 10.13.37.254 -o eth1 -j p2u_12
-A p2_unmetered -d 10.13.37.3 -p tcp -m tcp --dport 80 -j ACCEPT
-A p2_unmetered -d 10.13.37.3 -p tcp -m tcp --dport 443 -j ACCEPT
-A p2_unmetered -d 10.13.37.3 -p tcp -m tcp --dport 53 -j ACCEPT
-A p2_unmetered -d 10.13.37.3 -p udp -m udp --dport 53 -j ACCEPT
-A p2_unmetered -d 172.20.0.147 -j ACCEPT
-A p2_unmetered -d 10.13.37.3 -p tcp -m tcp --dport 22 -j ACCEPT
-A p2_unmetered -d 10.13.37.3 -p tcp -m tcp --dport 998 -j ACCEPT
-A p2u_12 -m quota --quota 999705946 -j p2_allowed
COMMIT
# Completed on Thu Nov 13 21:22:03 2008
Versions of stuff:
* iptables v1.3.6
* kernel 2.6.18
* Debian 4.0 (etch/stable) i386
I've had this previously working correctly when I was doing the work in
the FORWARD chain of the filter rule, however I cannot do automatic
redirection to the login page using this method.
Any advice would be greatly appreciated.
Cheers!
--michael
next reply other threads:[~2008-11-13 12:15 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-13 12:15 Michael [this message]
2008-11-13 17:11 ` PREROUTING table and quota Pascal Hambourg
2008-11-14 2:11 ` Michael
2008-11-14 10:15 ` Pascal Hambourg
2008-11-15 2:06 ` Alternate routing table and source IP address question bsilva
2008-11-15 11:57 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1226578553.8310.40.camel@localhost.localdomain \
--to=micolous@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox