BRIDGE + DHCP + Filtering

Protecting your Linux box

BRIDGE + DHCP + Filtering

Postby zaib » Sat Feb 09, 2008 6:52 pm

Dear LP members,
Salam,

I have the following setup.

CLIENTS <=== > LINUX BRIDGE (FC7) < ==== > ISA SERVER

BRIDGE IP = 10.0.8.1 [LINUX BIRDGE]
ISA SERVER = 10.0.0.1 [ISA SERVER+ DNS Server]
CLIENTS IPs = 10.10.0.x

This Bridge is also acting as a DHCP server. giviing every user a fix ip, and then mac to ip bind script checks the users ip against mac addressess.

Everything is working fine except for one thing, Users cannot browse or use internet on autodetect settings, user have to setup proxy settings in internet explorere or alternate they have to install MSPCLIENT in order to use internet.

Users have default gateway and DNS pointing to ISA Server. When I clear iptables rules by iptables -F , everything works smoothly with autodetect settings.

My Security Script is as follows . . .

=================================================================
> cat /firewall/secure.sh

#!/bin/sh
#set -x
## Script provided by cool_mudasir@hotmail.com, thanks for his
## contribution :)

IPT="/sbin/iptables"
DHCP_SERVER="10.0.8.1"
FILE=`cat path | awk '/FINAL_FILE/' | cut -d"=" -f2`
LOOPBACK="lo"

$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X


cat $FILE | while read MACS
do
IP=`echo $MACS | awk '{print $2}'`
MAC=`echo $MACS | awk '{print $1}'`
$IPT -t mangle -A PREROUTING -s $IP -m mac --mac-source $MAC -j MARK --set-mark 1
done

echo 1 > /proc/sys/net/ipv4/ip_forward

# Accepting DHCP Request
$IPT -A INPUT -p udp -s $DHCP_SERVER --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
$IPT -A OUTPUT -p udp -s 255.255.255.255 --sport 68 -d $DHCP_SERVER --dport 67 -j ACCEPT

$IPT -A INPUT -i $LOOPBACK -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK -j ACCEPT

# Allow Marked Packets to be allowed
$IPT -A INPUT -m mark --mark 1 -j ACCEPT
$IPT -A FORWARD -m mark --mark 1 -j ACCEPT

$IPT -A INPUT -m mark ! --mark 1 -j DROP
$IPT -A FORWARD -m mark ! --mark 1 -j DROP

$IPT -P INPUT DROP
$IPT -P FORWARD DROP

What is missing? what is needed to be added in order to enable clients to use internet in SECURENAT mode or transparently ?
zaib
Naik
 
Posts: 97
Joined: Thu Jan 10, 2008 3:11 pm
Location: Karachi

Issue solved !

Postby zaib » Fri Feb 15, 2008 4:35 pm

Salam,

After continous searching, I have managed to solve the issue by adding following lines. :lol:
========

iptables -A FORWARD -m state --state NEW -p tcp \
-d 10.0.0.1 --dport 53 -j ACCEPT

$IPT -A FORWARD -p udp -d 10.0.0.1 --dport 53 -j ACCEPT
$IPT -A FORWARD -p udp -d 10.0.0.1 --sport 53 -j ACCEPT

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state NEW -i eth0 -j ACCEPT
zaib
Naik
 
Posts: 97
Joined: Thu Jan 10, 2008 3:11 pm
Location: Karachi


Return to Security

Who is online

Users browsing this forum: No registered users and 1 guest

cron