Hello - I am a complete iptables newbie who is trying to re-write a wireless hotspot script that I found on the net to control internet access for our library patrons. I found the script at: http://www.feedface.com/folkert/study/hotspot/src/firewall.sh.txt I am trying to re-write it so that I can use squid and dansguardian to proxy and filter the web. I need it to transparently proxy. I have a system set up now that uses squid to grant or deny access, but it can only block web access; I my need is for a firewall that can block all network access so that a given PC can't chat or play online games as well as surf the net after time has run out. The script, as far as I have gotten, works well. When I fire it up, my test PC can't go anywhere except the sign up page (which it is redirected to no matter what), and when I add the PC to the access list (by typing firewall.sh add <ip> <mac>), that PC is able to surf. My problem comes in when I try to do the transparent proxy part. when I try to add the rule: iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 To the script, it does not work, and dansguardian will not even start. I have played around with various permutations of this rule, and have gotten nowhere. Can anybody help? Thanks - Mark Ehle ======= Following is the script (firewall.sh) as far as I have it: #!/bin/bash ############################################################################### # name: firewall.sh # author: Mark Ehle # date: 03-30-05 # with much thanks given to Folkert Saathoff at http://www.feedface.com/folkert ############################################################################### #=========================== # variables #=========================== # command-line arguments COMMAND=$0 ACTION=$1 IP=$2 MAC=$3 # program locations IPTABLES=/sbin/iptables MODPROBE=/sbin/modprobe DEPMOD=/sbin/depmod # Local Network variables LAN_GW="10.0.0.1" LAN_NET="10.0.0.0/8" LAN_INT="eth1" # External network variables EXT_INT_IP="<insert external interface ip here>" EXT_INT="eth0" #Name Server IP NS="insert Name server ip here" #=========================== # subroutines #=========================== load_modules() { $DEPMOD -a for module in "ip_conntrack ip_tables iptable_filter iptable_mangle iptable_nat ipt_LOG ipt_limit ipt_MASQUERADE"; do $MODPROBE $module done return } start_ip_forwarding() { echo 1 > /proc/sys/net/ipv4/ip_forward return } show_usage() { echo "usage:" echo "$COMMAND reset" echo "$COMMAND add IP MAC" echo "$COMMAND del IP MAC" exit 1; } fferror() { echo "^_^'" echo "error setting netfilter: $ACTION" exit 1 } flush_tables() { for TABLE in filter nat mangle; do for SWITCH in F X Z; do $IPTABLES -t $TABLE -$SWITCH done done return } create_new_chains() { #filter chain for accepting authenticated clients $IPTABLES -t filter -N fclient #filter chain for not rerouting authenticated clients $IPTABLES -t nat -N dclient #filter chain for routing from authenticated clients $IPTABLES -t nat -N sclient #default filter policy is DROP $IPTABLES -t filter -P INPUT DROP $IPTABLES -t filter -P OUTPUT DROP $IPTABLES -t filter -P FORWARD DROP return } reset_firewall() { load_modules start_ip_forwarding flush_tables create_new_chains #allow all local traffic $IPTABLES -t filter -A INPUT -i lo0 -j ACCEPT $IPTABLES -t filter -A OUTPUT -o lo0 -j ACCEPT #allow all icmp traffic self<->lan $IPTABLES -t filter -A INPUT -i $LAN_INT -s $LAN_NET -d $LAN_GW -p icmp -j ACCEPT $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p icmp -j ACCEPT #allow all icmp traffic self<->inet $IPTABLES -t filter -A INPUT -i $EXT_INT -d $EXT_INT_IP -p icmp -j ACCEPT $IPTABLES -t filter -A OUTPUT -o $EXT_INT -s $EXT_INT_IP -p icmp -j ACCEPT #allow dhcp traffic self<->lan $IPTABLES -t filter -A INPUT -i $LAN_INT -s 0.0.0.0/0 -d 255.255.255.255 -p udp --dport 67:68 -j ACCEPT $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p udp --sport 67:68 -j ACCEPT #allow all web traffic self<->lan for PORT in 80 443; do $IPTABLES -t filter -A INPUT -i $LAN_INT -s $LAN_NET -d $LAN_GW -p tcp --dport $PORT -j ACCEPT $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p tcp --sport $PORT -j ACCEPT done #allow all ssh and smb traffic to/from self for PORT in 22 139; do $IPTABLES -t filter -A INPUT -p tcp --dport $PORT -j ACCEPT $IPTABLES -t filter -A OUTPUT -p tcp --sport $PORT -j ACCEPT done # allow dns $IPTABLES -t filter -A OUTPUT -o $EXT_INT -s $EXT_INT_IP -d $NS -p udp --dport 53 -j ACCEPT $IPTABLES -t filter -A INPUT -i $EXT_INT -s $NS -d $EXT_INT_IP -p udp --sport 53 -j ACCEPT $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -d $NS -p udp --dport 53 -j ACCEPT $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -s $NS -d $LAN_NET -p udp --sport 53 -j ACCEPT #enable source network address translation for dns $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -p udp --dport 53 -d $NS -o $EXT_INT -j SNAT --to $EXT_INT_IP #check for allowed clients -> inet $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -j fclient #reject all other clients $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -j REJECT --reject-with icmp-net-prohibited #allow established connections lan<->inet $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -d $LAN_NET -m state --state ESTABLISHED -j ACCEPT #snat traffic from authenticated clients $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -d ! $LAN_NET -j sclient #do not dnat traffic from authenticated clients $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -j dclient #enable dnat to self for all web traffic for PORT in 80 443; do $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -p tcp --dport $PORT -j DNAT --to $LAN_GW done #add default REJECT rule (just more polite than DROP) for CHAIN in INPUT OUTPUT FORWARD; do $IPTABLES -t filter -A $CHAIN -j REJECT; done return } add_usage() { echo "usage:" echo "$COMMAND add IP MAC" exit 1; } run_add() { [ "ff"$IP != "ff" ] || show_addclient_usage; [ "ff"$MAC != "ff" ] || add_usage #add client $IPTABLES -t filter -A fclient -s $IP -m mac --mac-source $MAC -j ACCEPT || fferror $? $IPTABLES -t nat -A dclient -s $IP -m mac --mac-source $MAC -j ACCEPT || fferror $? $IPTABLES -t nat -A sclient -s $IP -d ! $LAN_NET -j SNAT --to $EXT_INT_IP || fferror $? echo "added Client: IP $IP MAC $MAC"; return } del_usage() { echo "usage:" echo "$COMMAND del IP MAC" exit 1; } run_del() { [ "ff"$IP != "ff" ] || show_delClient_usage; [ "ff"$MAC != "ff" ] || del_usage #delete client $IPTABLES -t filter -D fclient -s $IP -m mac --mac-source $MAC -j ACCEPT || fferror $? $IPTABLES -t nat -D dclient -s $IP -m mac --mac-source $MAC -j ACCEPT || fferror $? $IPTABLES -t nat -D sclient -s $IP -d ! $LAN_NET -j SNAT --to $EXT_INT_IP || fferror $? echo "removed Client: IP $IP MAC $MAC"; return } #=========================== # Main #=========================== case "$ACTION" in reset ) reset_firewall;; add ) run_add;; del ) run_del;; * ) show_usage;; esac exit
