Bastion Firewall Host Redirect Question

Bastion Firewall Host Redirect Question

[iic1tls]

Dear All,
 
Thank you for your time, and please reply to this message if you have any
suggestions.
 
Before posing my question, some background:
 
A firewall has been constructed using RH Fedora 13, Kernel 2.6.34.7-63, and
IPTables 1.4.7.  The firewall is a simple, twin adapter configuration, with
the external interface (eth0) facing the internet, and the other interface
(eth1) facing a small private network (single IP subnet).  The firewall is a
bastion host, meaning that the firewall host contains nothing but the
operating system, IPTables, and only those items needed to support operation
of the host itself.  The firewall does not run any other applications.
 
Contained within the private network is a web server.
 
Network:
Base Address: 149.10.10.0/24
Web Server: 149.10.10.25
Clients: located at various addresses on the subnet.
Firewall eth1 Address: 149.10.10.1
DNS Address: 149.10.10.2
 
QUESTION
Given that clients on the internal network can freely surf the internet: if
the clients select a specific web site (ie www.website.com), my goal is to
configure IPTables to instead redirect the client to the internal web
server.
 
- If the client web browser is going to surf www.website.com, then iptables
redirects the client to 149.10.10.25
- If the client web browser is going to surf any other website, then
iptables permits the client to forward to the internet.
 
***
 
I have attempted several iptables rules, including:
 
iptables -v -t nat -A PREROUTING --in-interface eth1 --dport 80 -d
www.website.com -j DNAT --to 149.10.10.25
 
However, this appears to have no effect.
 
Can you please recommend the rule I should be using to perform this feat?
 
THANK YOU

Re: Bastion Firewall Host Redirect Question

[Jonathan Tripathy]

>
> QUESTION
> Given that clients on the internal network can freely surf the internet: if
> the clients select a specific web site (ie www.website.com), my goal is to
> configure IPTables to instead redirect the client to the internal web
> server.
>
> - If the client web browser is going to surf www.website.com, then iptables
> redirects the client to 149.10.10.25
> - If the client web browser is going to surf any other website, then
> iptables permits the client to forward to the internet.
>
>
Use a local DNS server and set the hostname of the site that you want to 
re-direct to your local webserver. You can secure this setup a bit more 
by using a proxy server (Squid + SquidGuard) to prevent clients entering 
the IPs directly. The only thing that IPTables would do is make sure 
that only your proxy server can access the internet directly

RE: Bastion Firewall Host Redirect Question

[iic1tls]

Thanks Jonathan, but I can not modify the DNS.  I need an IPTables solution.

THANK YOU

-----Original Message-----
From: Jonathan Tripathy [mailto:jonnyt@abpni.co.uk] 
Sent: Tuesday, December 14, 2010 8:59 AM
To: iic1tls@yahoo.com; netfilter@vger.kernel.org
Subject: Re: Bastion Firewall Host Redirect Question


>
> QUESTION
> Given that clients on the internal network can freely surf the internet:
if
> the clients select a specific web site (ie www.website.com), my goal is to
> configure IPTables to instead redirect the client to the internal web
> server.
>
> - If the client web browser is going to surf www.website.com, then
iptables
> redirects the client to 149.10.10.25
> - If the client web browser is going to surf any other website, then
> iptables permits the client to forward to the internet.
>
>
Use a local DNS server and set the hostname of the site that you want to 
re-direct to your local webserver. You can secure this setup a bit more 
by using a proxy server (Squid + SquidGuard) to prevent clients entering 
the IPs directly. The only thing that IPTables would do is make sure 
that only your proxy server can access the internet directly

Re: Bastion Firewall Host Redirect Question

[/dev/rob0]

Please don't top-post list replies, thank you.

On Tue, Dec 14, 2010 at 09:10:04AM -0600, iic1tls wrote:
> Thanks Jonathan, but I can not modify the DNS.  I need an IPTables 
> solution.

Perhaps then talk to someone who can? dnsmasq(8) exists for such 
situations, and it is very simple to learn and to manage. Your 
sysadmin will have no problem with this.

There *is* an iptables solution, but it is suboptimal for several 
reasons. That would be to use SNAT and DNAT on the router, for HTTP 
connections to the external IP address. The frozentux iptables 
tutorial page on DNAT explains this rather well and in full detail.

Note that your httpd logs would show all internal hosts' connections 
as coming from the router. The only easy solution to this problem is 
the one you have already rejected.


Some nitpicks, from which I think you might benefit:

> > QUESTION
> > Given that clients on the internal network can freely surf the 
> > internet: if the clients select a specific web site (ie 
> > www.website.com), my goal is to configure IPTables to instead

You should not use real Internet names as examples. If you really 
want to use an example name, example.{com,net,org} is reserved, as 
well as example.X in many ccTLDs. See RFC 2606.

> > redirect the client to the internal web server.
> >
> > - If the client web browser is going to surf www.website.com, 
> > then iptables redirects the client to 149.10.10.25

149.10.0.0/16 has been allocated to nysed.gov (New York State 
Education Department). You should not use real Internet IP addresses 
that you do not control. If you meant to use an obfuscated example, 
see RFC 5737 which designates TEST-NET-[123] blocks to use.

When designing a LAN which will have NAT access to the Internet, 
there are three netblocks set aside in RFC 1918: 10/8, 172.16/12, and 
192.168/16. That's a lot of room. Even in a large enterprise, with 
some planning you will never need to use netblocks outside these 
allocated ranges.

> > - If the client web browser is going to surf any other website, 
> > then iptables permits the client to forward to the internet.
> >
> >
> Use a local DNS server and set the hostname of the site that you 
> want to re-direct to your local webserver. You can secure this 
> setup a bit more by using a proxy server (Squid + SquidGuard) to 
> prevent clients entering the IPs directly. The only thing that 
> IPTables would do is make sure that only your proxy server can 
> access the internet directly
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

Re: Bastion Firewall Host Redirect Question

[Billy Crook]

On Tue, Dec 14, 2010 at 08:54, iic1tls <iic1tls@yahoo.com> wrote:
> I have attempted several iptables rules, including:
> iptables -v -t nat -A PREROUTING --in-interface eth1 --dport 80 -d
> www.website.com -j DNAT --to 149.10.10.25

When you hit enter to commit this rule the iptables command resolves
www.website.com to an ip address, and then hands the request to add a
rule to netfilter.  The in-kernel rule will not change when
website.com's IP changes, which may happen at any time.  If clients
get a different IP for website.com (say they have multiple IPs), their
access will not be intercepted by the iptables rule.

iptables does not filter on domain names.  You must absolutely, and
without exception, do something in addition to iptables, like
intercept all DNS queries or force all web traffic through a proxy.

Re: Bastion Firewall Host Redirect Question

[Pascal Hambourg]

Hello,

Billy Crook a écrit :
> On Tue, Dec 14, 2010 at 08:54, iic1tls <iic1tls@yahoo.com> wrote:
>> I have attempted several iptables rules, including:
>> iptables -v -t nat -A PREROUTING --in-interface eth1 --dport 80 -d
>> www.website.com -j DNAT --to 149.10.10.25
> 
> When you hit enter to commit this rule the iptables command resolves
> www.website.com to an ip address, and then hands the request to add a
> rule to netfilter.  The in-kernel rule will not change when
> website.com's IP changes, which may happen at any time.  If clients
> get a different IP for website.com (say they have multiple IPs), their
> access will not be intercepted by the iptables rule.

Conversely, access to any other site hosted at the same IP address will
be intercepted.

> iptables does not filter on domain names.

Nor web site (HTTP Host:) names. Bottom line.

RE: Bastion Firewall Host Redirect Question

[iic1tls]

From: iic1tls [mailto:iic1tls@yahoo.com] 
Sent: Tuesday, December 14, 2010 9:10 AM
To: 'Jonathan Tripathy'; 'netfilter@vger.kernel.org'
Subject: RE: Bastion Firewall Host Redirect Question

Thanks Jonathan, but I can not modify the DNS.  I need an IPTables solution.

THANK YOU

-----Original Message-----
From: Jonathan Tripathy [mailto:jonnyt@abpni.co.uk] 
Sent: Tuesday, December 14, 2010 8:59 AM
To: iic1tls@yahoo.com; netfilter@vger.kernel.org
Subject: Re: Bastion Firewall Host Redirect Question


>
> QUESTION
> Given that clients on the internal network can freely surf the internet:
if
> the clients select a specific web site (ie www.website.com), my goal is to
> configure IPTables to instead redirect the client to the internal web
> server.
>
> - If the client web browser is going to surf www.website.com, then
iptables
> redirects the client to 149.10.10.25
> - If the client web browser is going to surf any other website, then
> iptables permits the client to forward to the internet.
>
>
Use a local DNS server and set the hostname of the site that you want to 
re-direct to your local webserver. You can secure this setup a bit more 
by using a proxy server (Squid + SquidGuard) to prevent clients entering 
the IPs directly. The only thing that IPTables would do is make sure 
that only your proxy server can access the internet directly