BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

document contains no data

Subject: document contains no data
From: bill at horne.net (Bill Horne)
Date: Sat, 16 Aug 2003 09:40:41 -0400
References: <004101c363fa$2c63d5e0$0200a8c0@billhorne.homelinux.org>

----- Original Message ----- 
From: "Ron Peterson"


> First, the concept.  Hand out a fake gateway address to unregistered
> computers.  Said gateway uses iptables rules to reject all traffic
> except port 80.  Port 80 traffic gets DNAT'd to a host (same host as
> fake gateway, in example below) which replies to port 80 traffic with a
> redirect to the URL of a registration page.
[snip]
______________
> iptables setup
>
> THISIP="10.0.0.1"
> THISNET="10.0.0.0/8"
> REGWEBIP="10.0.0.1"
> REGWEBPORT="80"
> PUB="eth0"
> IPTABLES="/sbin/iptables"
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> $IPTABLES -F
> $IPTABLES -t nat -F
>
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD ACCEPT
>
> $IPTABLES -A OUTPUT --match state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
> $IPTABLES -A INPUT --match state --state ESTABLISHED,RELATED -j ACCEPT
>
> $IPTABLES -t nat -A PREROUTING -i $PUB -p tcp --dport 80 -j
> DNAT --to-destination $REGWEBIP:$REGWEBPORT
> $IPTABLES -t nat -A POSTROUTING -d $REGWEBIP -p tcp --dport $REGWEBPORT -s
> $THISNET -j SNAT --to-source $THISIP
>
> $IPTABLES -A INPUT -d 127.0.0.1 -i lo -j ACCEPT
> $IPTABLES -A INPUT -j REJECT --reject-with icmp-net-prohibited

[snip]

I'm not sure if this is the source of your problem, but I'll mention it just
in case:

The Policy (-P) options in your iptables set the default to "ACCEPT", so any
screening rules which don't specifically deny access will have no effect.
The DNAT will work (but see below), and your INPUT chain has a REJECT at the
end, but the OUTPUT chain won't screen anything, since it is set to ACCEPT
by default.

Also, I don't understand if you're DNATing traffic to the same or a
different machine. If to a different machine, note that there are no rules
in the FORWARD chain, but that nat is dependent on FORWARD. The INPUT and
OUTPUT chains don't affect forwarded traffic, so if you want to limit your
DNAT traffic to ESTABLISHED,RELATED, then you must put that rule in the FORW
ARD chain.

FWIW. YMMV.

Bill

Follow-Ups:
- document contains no data
  - From: ron.peterson at yellowbank.com (ron.peterson at yellowbank.com)

Prev by Date: atoi
Next by Date: document contains no data
Previous by thread: document contains no data
Next by thread: document contains no data
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org