IPTABLES - Redirection -

Protecting your Linux box

IPTABLES - Redirection -

Postby mudasir » Mon Aug 13, 2007 3:52 am

Hi,

I have a made a firewall which is basically MAC Address based, now all the known MAC Addresses are marked with 1 and are wokring fine.

Now what i want to do is to redirect all the unmarked MAC's or all unknown MAC's to this Addresses "192.168.1.2:81"

I tried it by DNAT like this

IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m mark ! --mark 1 -j DNAT --to-destination 192.168.1.2:81

same with UDP.

But it is not working. Please help me out.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Re:

Postby LinuxFreaK » Wed Aug 15, 2007 11:09 am

Dear mudasir,

I think you need to use Source NAT instead of Destination NAT.

P.S: Correct me if am wrong.

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

Re:

Postby kbukhari » Wed Aug 15, 2007 12:00 pm

LinuxFreaK wrote:I think you need to use Source NAT instead of Destination NAT.

Wrong!
mudasir wrote:
I tried it by DNAT like this

IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m mark ! --mark 1 -j DNAT --to-destination 192.168.1.2:81

You need to define destination port as well i.e you want to redirect web browsing.
iptables -t nat -A PREROUTING -i eth0 -p tcp -m mark ! --mark 1 --dport 80 -j DNAT --to-destination 192.168.1.2:81
--
Syed Kashif Ali Bukhari
+92-345-8444420
http://sysadminsline.com
http://kashifbukhari.com
kbukhari
Major General
 
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Website: http://kashifbukhari.com
Location: Lahore

Postby mudasir » Thu Aug 16, 2007 1:08 am

Dear Kbukhari,
i have tried that rule also, it is also not working.
list of rules i have tried

IPT=/sbin/iptables

Rule #1
$IPT -t nat -A PREROUTING -i eth0 -p tcp -d 0.0.0.0/0 --dport 80 -m mark ! --mark 1 -j DNAT --to-destination 192.168.1.2:81

Rule #2
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m mark ! --mark 1 -j DNAT --to-destination 192.168.1.2:81


Hope you understand the PROBLEM.

Looking Forward for some help
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby kbukhari » Thu Aug 16, 2007 9:29 am

wht is your In interface i mean where your clients are connected.
--

Syed Kashif Ali Bukhari

+92-345-8444420

http://sysadminsline.com

http://kashifbukhari.com
kbukhari
Major General
 
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Website: http://kashifbukhari.com
Location: Lahore

Postby mudasir » Thu Aug 16, 2007 6:49 pm

Salam

I have changed my senario a bit, now i want all the unmarked web-traffic to redirect to port 80 on the SAME MACHINE (i.e. 192.168.1.1:80)

eth0=Network interface connected to Local Network
eth1=Network interface connected to DSL Modem

IP_RANGE=192.168.1.1/24
SERVER_IP=192.168.1.1

Rule I am using to MARK Packets

IPTABLES -t mangle -A PREROUTING -i eth0 -m mac --mac-source (LIST_OF_MAC_ADDRESSES) -j MARK --set-mark 1

Rule I am using to redirect all unmarked web-traffic to 192.168.1.1:80

IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -d ! 192.168.1.1/24 --dport 80 -m mark ! --mark 1 -j DNAT --to-destination 192.168.1.1:80

One more thing, when i type this addresses "192.168.1.1:80" without "http://", it does not opens up, and when i open it up with http://192.168.1.1:80 or simple http://192.168.1.1 it opens up fine.

Looking Forward For Some Help.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby mudasir » Fri Aug 17, 2007 2:56 am

Salam to All,

Thanks for all your help, i have done it.
The way i have done it is as follows.

Redirected all Unmarked Packets to SQUID PROXY

IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m mark ! --mark 1 -j REDIRECT --to-port 8080

SQUID Configuration

acl mac-address arp "/files/macs/mac.address"
acl all src 0.0.0.0/0.0.0.0
http_access allow mac-address
http_access deny all
deny_info http://192.168.1.2:81 all

This only redirects WEB-TRAFFIC, not any other sort of traffic....
This Works Fine....Hope it might help others.....

Still want to know, how can i do it purely through IPTABLES.

Looking Forward For Response
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai


Return to “%s” Security

Who is online

Users browsing this forum: No registered users and 0 guests

cron