Hi there, I'm new to netfilter, so please excuse my dumb questions.. I'm working on a captive portal appliance and have some issues to understand how to alter the netfilter config to do what I expect : - Eth0 connected to the internet (192.168.70.0/24) - Eth1 connected to a wireless network (192.168.69.0/24) - Eth2 connected to an enterprise network (172.19.58.128/26) I'm already using this captive portal that is working, wireless clients are authenticated then have access to the internet. Domain authentication are done using the Eth2 interface to the enterprise LDAP catalog. I've not done this config and don't really understand how it works. What I want to achieve may looks really simple for you : I need to have access to the appliance from the enterprise network (Eth2) on the ssh and https ports. Here is the config file : # Generated by iptables-save v1.4.5 on Wed Mar 3 12:34:48 2010 *raw :PREROUTING ACCEPT [2728479:934194667] :OUTPUT ACCEPT [1108062:571157557] COMMIT # Completed on Wed Mar 3 12:34:48 2010 # Generated by iptables-save v1.4.5 on Wed Mar 3 12:34:48 2010 *nat :PREROUTING ACCEPT [1288:104586] :POSTROUTING ACCEPT [6:578] :OUTPUT ACCEPT [16:1243] -A PREROUTING ! -d 192.168.69.1/32 -i tun0 -p tcp -m tcp --dport 80 -m state --state NEW -j ULOG --ulog-prefix "RULE Transfert2 -- ACCEPT " -A PREROUTING ! -d 192.168.69.1/32 -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A PREROUTING -d 192.168.69.1/32 -i tun0 -p tcp -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY " -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Wed Mar 3 12:34:48 2010 # Generated by iptables-save v1.4.5 on Wed Mar 3 12:34:48 2010 *mangle :PREROUTING ACCEPT [2728480:934194946] :INPUT ACCEPT [1141791:637901737] :FORWARD ACCEPT [483271:145278163] :OUTPUT ACCEPT [1108063:571157645] :POSTROUTING ACCEPT [1586481:716229937] :tcfor - [0:0] :tcout - [0:0] :tcpost - [0:0] :tcpre - [0:0] -A PREROUTING -d 192.168.69.1/32 -i tun0 -p tcp -m tcp --dport 8080 -j MARK --set-xmark 0x1/0xffffffff COMMIT # Completed on Wed Mar 3 12:34:48 2010 # Generated by iptables-save v1.4.5 on Wed Mar 3 12:34:48 2010 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [685:203841] -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -p udp -m udp --sport 68 --dport 67 -j ACCEPT -A INPUT -i eth1 -j ULOG --ulog-prefix "RULE Protect1 -- REJECT " -A INPUT -i eth1 -j REJECT --reject-with icmp-port-unreachable -A INPUT ! -s 192.168.69.0/24 -i tun0 -j ULOG --ulog-prefix "RULE Antispoof1 -- DENY " -A INPUT ! -s 192.168.69.0/24 -i tun0 -j DROP -A INPUT -s 192.168.69.0/24 -i eth0 -j ULOG --ulog-prefix "RULE Antispoof2 -- DENY " -A INPUT -s 192.168.69.0/24 -i eth0 -j DROP -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP -A INPUT -s 192.168.69.0/24 -i tun0 -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -s 192.168.69.0/24 -i tun0 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT -A INPUT -i tun0 -p udp -m udp --dport 123 -j ACCEPT -A INPUT -i tun0 -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -i tun0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i eth2 -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -i eth2 -p tcp -m tcp --dport ssh -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i tun0 -p tcp -m tcp --dport 8080 -m mark --mark 0x1 -j DROP -A INPUT -i tun0 -p tcp -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A INPUT -i tun0 -j ULOG --ulog-prefix "RULE rej-int -- REJECT " -A INPUT -i eth0 -j ULOG --ulog-prefix "RULE rej-ext -- REJECT " -A INPUT -p tcp -j REJECT --reject-with tcp-reset -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i tun0 -p udp -m udp --dport 53 -j ACCEPT -A FORWARD -i tun0 -m state --state NEW -j ULOG --ulog-prefix "RULE Transfert1 -- ACCEPT " -A FORWARD -i tun0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o tun0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Wed Mar 3 12:34:48 2010 I've added those lines : -A INPUT -i eth2 -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -i eth2 -p tcp -m tcp --dport ssh -j ACCEPT ..but no luck. Can someone give me hand here? Kind regards, JD. -------------------------------------------------------------------------- This message may contain confidential information. If you are not the designated recipient, please notify the sender immediately, and delete the original and any copies. Any use of the message by you is prohibited. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
