* How to get "real time" kernel updates from iptables
@ 2005-03-14 15:33 I & L Fogg
2005-03-14 22:32 ` Eric Leblond
0 siblings, 1 reply; 3+ messages in thread
From: I & L Fogg @ 2005-03-14 15:33 UTC (permalink / raw)
To: netfilter, I & L Fogg
I would appreciate any advice on the following problem (if it is, in
fact, a problem).
I have a pretty simple situation whereby I block internet access to
clients behind my iptables firewall until they have been properly
authenticated.
I set up a user-defined chain 'captive' with a default rule to redirect
traffic to a local web server (that handles the authentication)...
iptables -t nat -A captive -i eth0 -j REDIRECT
This chain is traversed from nat's PREROUTING chain...
iptables -t nat -A PREROUTING -j captive
If/once the user authenticates, a script fires and inserts a
'short-circuit' rule into the captive chain. After completing, the
captive chain looks like (which will allow client 192.168.1.222 to
escape the wormhole)...
iptables -t nat -I captive -s 192.168.1.222 -j RETURN
iptables -t nat -A captive -i eth0 -j REDIRECT
The problem...
My clients need to wait 10-15 seconds before trying to access the
internet. Shorter waits (ie, user starting to surf the web too early)
result in a re-capture (REDIRECT), as if the 'short circuit' rule had
never been inserted. I suspect this is being caused by delays in
iptables updating the rule base, and the rules making it into the kernel
(via the netlink socket???).
Is there anything I can do to reduce/eliminate the delay in getting
updates into the kernel? I have tried an 'iptables-save |
iptables-restore' in the hope that the COMMITs in the restore would do
what the docs say (iptc_commit the changes to the kernel), but this
doesn't seem to help.
I'm running iptables v 1.2.11 on a 2.6.10 kernel.
This has been bugging me for days, so I'd really appreciate any
suggestions, of even a confirmation that there's not much I can do about
it (the delay). In the latter case, I can set my user expectations,
which is not my preferred course of action.
Cheers, Iain
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: How to get "real time" kernel updates from iptables
2005-03-14 15:33 How to get "real time" kernel updates from iptables I & L Fogg
@ 2005-03-14 22:32 ` Eric Leblond
2005-03-15 8:45 ` Mohamed Eldesoky
0 siblings, 1 reply; 3+ messages in thread
From: Eric Leblond @ 2005-03-14 22:32 UTC (permalink / raw)
To: I & L Fogg; +Cc: netfilter
Hi,
For an Netfilter based authenticating firewall, you may have a look to
NuFW : http://www.nufw.org/
It is authenticating connections (Netfilter meaning) individually and it
is not doing an IP==address association. Thus it even work on multiusers
systems.
BR,
--
Eric Leblond <eric@inl.fr>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: How to get "real time" kernel updates from iptables
2005-03-14 22:32 ` Eric Leblond
@ 2005-03-15 8:45 ` Mohamed Eldesoky
0 siblings, 0 replies; 3+ messages in thread
From: Mohamed Eldesoky @ 2005-03-15 8:45 UTC (permalink / raw)
To: netfilter
As posted by Eric,
Or, let your authentication script make the delay before it comes back
to the user.
On Mon, 14 Mar 2005 23:32:40 +0100, Eric Leblond <eric@inl.fr> wrote:
> Hi,
>
> For an Netfilter based authenticating firewall, you may have a look to
> NuFW : http://www.nufw.org/
>
> It is authenticating connections (Netfilter meaning) individually and it
> is not doing an IP==address association. Thus it even work on multiusers
> systems.
>
> BR,
> --
> Eric Leblond <eric@inl.fr>
>
>
--
Mohamed Eldesoky
www.eldesoky.net
RHCE
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-03-15 8:45 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-03-14 15:33 How to get "real time" kernel updates from iptables I & L Fogg
2005-03-14 22:32 ` Eric Leblond
2005-03-15 8:45 ` Mohamed Eldesoky
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox