On Thu, 2005-03-31 at 15:37 -0500, mark@xxxxxxxxxxxxxxxxxx wrote: > Hello - > > I am a complete iptables newbie who is trying to re-write a wireless hotspot > script that I found on the net to control internet access for our library patrons. > > I found the script at: > > http://www.feedface.com/folkert/study/hotspot/src/firewall.sh.txt > > I am trying to re-write it so that I can use squid and dansguardian to proxy and > filter the web. I need it to transparently proxy. I have a system set up now > that uses squid to grant or deny access, but it can only block web access; I my > need is for a firewall that can block all network access so that a given PC > can't chat or play online games as well as surf the net after time has run out. > > The script, as far as I have gotten, works well. When I fire it up, my test PC > can't go anywhere except the sign up page (which it is redirected to no matter > what), and when I add the PC to the access list (by typing firewall.sh add <ip> > <mac>), that PC is able to surf. > > My problem comes in when I try to do the transparent proxy part. when I try to > add the rule: > iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 > > To the script, it does not work, and dansguardian will not even start. I have > played around with various permutations of this rule, and have gotten nowhere. > > Can anybody help? > > Thanks - > > Mark Ehle > ======= > Following is the script (firewall.sh) as far as I have it: > > #!/bin/bash > > ############################################################################### > # name: firewall.sh > # author: Mark Ehle > # date: 03-30-05 > # with much thanks given to Folkert Saathoff at http://www.feedface.com/folkert > ############################################################################### > > #=========================== > # variables > #=========================== > > # command-line arguments > COMMAND=$0 > ACTION=$1 > IP=$2 > MAC=$3 > > # program locations > IPTABLES=/sbin/iptables > MODPROBE=/sbin/modprobe > DEPMOD=/sbin/depmod > > # Local Network variables > LAN_GW="10.0.0.1" > LAN_NET="10.0.0.0/8" > LAN_INT="eth1" > > # External network variables > EXT_INT_IP="<insert external interface ip here>" > EXT_INT="eth0" > > #Name Server IP > NS="insert Name server ip here" > > #=========================== > # subroutines > #=========================== > load_modules() { > $DEPMOD -a > for module in "ip_conntrack ip_tables iptable_filter iptable_mangle > iptable_nat ipt_LOG ipt_limit ipt_MASQUERADE"; do > $MODPROBE $module > done > return > } > > start_ip_forwarding() { > echo 1 > /proc/sys/net/ipv4/ip_forward > return > } > > show_usage() > { > echo "usage:" > echo "$COMMAND reset" > echo "$COMMAND add IP MAC" > echo "$COMMAND del IP MAC" > exit 1; > } > > fferror() > { > echo "^_^'" > echo "error setting netfilter: $ACTION" > exit 1 > } > > flush_tables() { > for TABLE in filter nat mangle; do > for SWITCH in F X Z; do > $IPTABLES -t $TABLE -$SWITCH > done > done > return > } > > create_new_chains() { > #filter chain for accepting authenticated clients > $IPTABLES -t filter -N fclient > #filter chain for not rerouting authenticated clients > $IPTABLES -t nat -N dclient > #filter chain for routing from authenticated clients > $IPTABLES -t nat -N sclient > > #default filter policy is DROP > $IPTABLES -t filter -P INPUT DROP > $IPTABLES -t filter -P OUTPUT DROP > $IPTABLES -t filter -P FORWARD DROP > > return > } > > reset_firewall() { > > load_modules > start_ip_forwarding > flush_tables > create_new_chains > > #allow all local traffic > $IPTABLES -t filter -A INPUT -i lo0 -j ACCEPT > $IPTABLES -t filter -A OUTPUT -o lo0 -j ACCEPT > > #allow all icmp traffic self<->lan > $IPTABLES -t filter -A INPUT -i $LAN_INT -s $LAN_NET -d $LAN_GW -p icmp -j > ACCEPT > $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p icmp -j > ACCEPT > > #allow all icmp traffic self<->inet > $IPTABLES -t filter -A INPUT -i $EXT_INT -d $EXT_INT_IP -p icmp -j ACCEPT > $IPTABLES -t filter -A OUTPUT -o $EXT_INT -s $EXT_INT_IP -p icmp -j ACCEPT > > #allow dhcp traffic self<->lan > $IPTABLES -t filter -A INPUT -i $LAN_INT -s 0.0.0.0/0 -d 255.255.255.255 -p > udp --dport 67:68 -j ACCEPT > $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p udp > --sport 67:68 -j ACCEPT > > #allow all web traffic self<->lan > for PORT in 80 443; do > $IPTABLES -t filter -A INPUT -i $LAN_INT -s $LAN_NET -d $LAN_GW -p tcp > --dport $PORT -j ACCEPT > $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p tcp > --sport $PORT -j ACCEPT > done > > #allow all ssh and smb traffic to/from self > for PORT in 22 139; do > $IPTABLES -t filter -A INPUT -p tcp --dport $PORT -j ACCEPT > $IPTABLES -t filter -A OUTPUT -p tcp --sport $PORT -j ACCEPT > done > > # allow dns > $IPTABLES -t filter -A OUTPUT -o $EXT_INT -s $EXT_INT_IP -d $NS -p udp > --dport 53 -j ACCEPT > $IPTABLES -t filter -A INPUT -i $EXT_INT -s $NS -d $EXT_INT_IP -p udp > --sport 53 -j ACCEPT > $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -d $NS -p > udp --dport 53 -j ACCEPT > $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -s $NS -d $LAN_NET -p > udp --sport 53 -j ACCEPT > > #enable source network address translation for dns > $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -p udp --dport 53 -d $NS -o > $EXT_INT -j SNAT --to $EXT_INT_IP > > #check for allowed clients -> inet > $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -j fclient > #reject all other clients > $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -j REJECT > --reject-with icmp-net-prohibited > > #allow established connections lan<->inet > $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -d $LAN_NET -m state > --state ESTABLISHED -j ACCEPT > > #snat traffic from authenticated clients > $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -d ! $LAN_NET -j sclient > > #do not dnat traffic from authenticated clients > $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -j dclient > > #enable dnat to self for all web traffic > for PORT in 80 443; do > $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -p tcp --dport > $PORT -j DNAT --to $LAN_GW > done > > #add default REJECT rule (just more polite than DROP) > for CHAIN in INPUT OUTPUT FORWARD; do > $IPTABLES -t filter -A $CHAIN -j REJECT; > done > return > > } > > add_usage() { > echo "usage:" > echo "$COMMAND add IP MAC" > exit 1; > } > > run_add() { > [ "ff"$IP != "ff" ] || show_addclient_usage; [ "ff"$MAC != "ff" ] || add_usage > #add client > > $IPTABLES -t filter -A fclient -s $IP -m mac --mac-source $MAC -j ACCEPT > || fferror $? > $IPTABLES -t nat -A dclient -s $IP -m mac --mac-source $MAC -j ACCEPT > || fferror $? > $IPTABLES -t nat -A sclient -s $IP -d ! $LAN_NET -j SNAT --to $EXT_INT_IP > || fferror $? > echo "added Client: IP $IP MAC $MAC"; > return > } > > del_usage() { > echo "usage:" > echo "$COMMAND del IP MAC" > exit 1; > } > > run_del() { > [ "ff"$IP != "ff" ] || show_delClient_usage; [ "ff"$MAC != "ff" ] || del_usage > #delete client > $IPTABLES -t filter -D fclient -s $IP -m mac --mac-source $MAC -j ACCEPT || > fferror $? > $IPTABLES -t nat -D dclient -s $IP -m mac --mac-source $MAC -j ACCEPT || > fferror $? > $IPTABLES -t nat -D sclient -s $IP -d ! $LAN_NET -j SNAT --to $EXT_INT_IP || > fferror $? > echo "removed Client: IP $IP MAC $MAC"; > return > } > > #=========================== > # Main > #=========================== > > case "$ACTION" in > reset ) reset_firewall;; > add ) run_add;; > del ) run_del;; > * ) show_usage;; > esac > > exit > This may be a silly, off the cuff reply, but, in your rules allowing traffic within the gateway, do you want interface lo0 as you have written or lo? -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx If you would like to participate in the development of an open source enterprise class network security management system, please visit http://iscs.sourceforge.net
