Hi all,
I've a CentOS box which as two NIC; this box is also a router for LAN subnet:
------------------------------------ | eth0 (external) 172.0.0.1 | | eth1 (internal) 192.168.1.1 | ------------------------------------ | LAN clients (192.168.1.2+)
I want to allow http acces only for two LAN boxes; an only http access, which means that others protocols as smtp, pop3, imap and so on will be permited. The rest of LAN boxes will be redirected to a local http service (192.168.1.1:80)
I think the best way is creating a iptables rules based on MAC address. So, the rules I've made are:
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -m mac --mac-source ! xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -m mac --mac-source ! xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80
Please, note the exclamation symbol, which means a logical negation.
But it seems doesn't work correctly: all the LAN clients can suffer the web.
¿?¿?¿
On Mon, Jun 25, 2007 at 06:20:04PM +0200, Jordi Espasa Clofent wrote:
Hi all,
I've a CentOS box which as two NIC; this box is also a router for LAN subnet:
| eth0 (external) 172.0.0.1 |
^^^^^^^^^ this is a very bad example
| eth1 (internal) 192.168.1.1 |
| LAN clients (192.168.1.2+)I want to allow http acces only for two LAN boxes; an only http access, which means that others protocols as smtp, pop3, imap and so on will be permited. The rest of LAN boxes will be redirected to a local http service (192.168.1.1:80)
I think the best way is creating a iptables rules based on MAC address.
Why MAC and not IP addresses?
So, the rules I've made are:
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -m mac --mac-source ! xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -m mac --mac-source ! xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80
Please, note the exclamation symbol, which means a logical negation.
Yes, but ORing the two, all clients should have gone to the local http service.
The best thing, in this case, is to use chains:
iptables -t nat -N twoboxen iptables -t nat -N others
iptables -t nat -A PREROUTING --mac-source aaaaaaaaaa -j twoboxen iptables -t nat -A PREROUTING --mac-source bbbbbbbbbb -j twoboxen iptables -t nat -A PREROUTING -j others
iptables -t nat -A twoboxen -j ACCEPT iptables -t nat -A others -p tcp --dport 80 -j REDIRECT
^^^^^^^^^ this is a very bad example
It's understandable example; so, it's enough.
Why MAC and not IP addresses?
IP addresses are very easy to change. The idea is only a two concrete boxes with a concrete ubication can surfer the web freely.
Yes, but ORing the two, all clients should have gone to the local http service.
The best thing, in this case, is to use chains:
iptables -t nat -N twoboxen iptables -t nat -N others
iptables -t nat -A PREROUTING --mac-source aaaaaaaaaa -j twoboxen iptables -t nat -A PREROUTING --mac-source bbbbbbbbbb -j twoboxen iptables -t nat -A PREROUTING -j others
iptables -t nat -A twoboxen -j ACCEPT iptables -t nat -A others -p tcp --dport 80 -j REDIRECT
I think this is a "large" solution. Two iptables code lines should be enough. I've modified the lines:
iptables -t nat -A OUTOUT -p tcp -i eth1 -m mac --mac-source ! xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80 iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80
Of course, thank you for your help and comments Luciano. ;)
On Mon, Jun 25, 2007 at 09:46:22PM +0200, Jordi Espasa Clofent wrote:
^^^^^^^^^ this is a very bad exampleIt's understandable example; so, it's enough.
127.x is always private to each host, so it is confusing. I just assumed it was one address that just came to your mind.
Why MAC and not IP addresses?
IP addresses are very easy to change. The idea is only a two concrete boxes with a concrete ubication can surfer the web freely.
MAC addresses are easy too, only less known.
Yes, but ORing the two, all clients should have gone to the local http service.
The best thing, in this case, is to use chains:
iptables -t nat -N twoboxen iptables -t nat -N others
iptables -t nat -A PREROUTING --mac-source aaaaaaaaaa -j twoboxen iptables -t nat -A PREROUTING --mac-source bbbbbbbbbb -j twoboxen iptables -t nat -A PREROUTING -j others
iptables -t nat -A twoboxen -j ACCEPT iptables -t nat -A others -p tcp --dport 80 -j REDIRECT
I think this is a "large" solution. Two iptables code lines should be enough. I've modified the lines:
iptables -t nat -A OUTOUT -p tcp -i eth1 -m mac --mac-source ! xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80 iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80
Two of these for each of the two hosts? That's what I don't understand.
Let's suppose you have host A, B, C, D, E, and want only A and B to have access to the web. So, the rules would look like:
1. iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! mac(host A) --dport 80 -j DNAT --to-destination 192.168.1.1:80 2. iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! mac(host B) --dport 80 -j DNAT --to-destination 192.168.1.1:80
Ditto for -A OUTPUT.
So, what happens when C, D or E send a packet? They don't match any mac address, so they will be DNAT'ed to 192.168.1.1.
What about A? It doesn't match rule 1, but it matches rule 2, so it will be DNAT'ed also.
And host B? It matches rule 1, so it is DNAT'ed.
Thus the use of chains, to send each host to the proper chain and there do the work (dnat or don't dnat).
Of course, thank you for your help and comments Luciano. ;)
Not at all. :)
127.x is always private to each host, so it is confusing. I just assumed it was one address that just came to your mind.
Ok. It's a typo: I wanted to write 172.26.0.0/24 :P
MAC addresses are easy too, only less known.
Yes, of course. Almost for advanced users or sysadmins. But in this case the LAN clients are Win machines with "normal" users. I think they don't know even what's a MAC address.
Two of these for each of the two hosts? That's what I don't understand.
Let's suppose you have host A, B, C, D, E, and want only A and B to have access to the web. So, the rules would look like:
- iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source !
mac(host A) --dport 80 -j DNAT --to-destination 192.168.1.1:80 2. iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! mac(host B) --dport 80 -j DNAT --to-destination 192.168.1.1:80
Ditto for -A OUTPUT.
So, what happens when C, D or E send a packet? They don't match any mac address, so they will be DNAT'ed to 192.168.1.1.
What about A? It doesn't match rule 1, but it matches rule 2, so it will be DNAT'ed also.
And host B? It matches rule 1, so it is DNAT'ed.
Thus the use of chains, to send each host to the proper chain and there do the work (dnat or don't dnat).
Now I see it! You have all the reason: I've missunderstood the process, so the use of chain will be the correct strategy.
;)
-
Jordi Espasa Clofent -
Luciano Rocha