Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

iptables DNAT question

Status
Not open for further replies.

kubla

Programmer
Feb 7, 2002
50
IT
Dear All,

I'm trying to do the following with my firewall:

1) redirect all web traffic to my gateway until a user is authenticated.

2) after authentication, add their ip to those allowed to surf.

I've achieved point 1 with the following iptables rule:

iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j DNAT --to 192.168.1.1

What I want to do now is on a per-ip basis drop this rule... but I can't find the syntax to do it... ideas?

 

Try:

iptables -t nat -A PREROUTING -s 192.168.1.10/32 -p tcp --dport 80 -j DNAT --to your-routers-ipaddress

but it would have to be before the other rule.
 
Thanks Eric.

I don't think I really explained myself all that well in my first post.

I'm need to do things dynamically so can't have the per-ip rules before the general redirect... which is why I'm thinking that perhaps what I want to do can't be done...

I have a seperate account creation and authentication module and have a firewall which restricts access strictly to the gateway/authentication server until a user has authenticated (authentication launches a shell script which runs a series of iptables rules letting the user past the Gateway). All that is functioning famously.

What I wanted to do though is have a mechanism which automagically redirects users to the authentication page should they neglect to login first no matter what they type into their browsers. At the moment, they have to type in the ip/hostname of the authentication server.

The DNAT rule does that; however, after authentication, users can get out using all protocols permitted by the firewall *except* http which continues to be routed to 192.168.1.1

What I'm puzzling over is whether or not I can, on a per-ip basis, override this rule. I'm beginning to think that I can't ...

 
OK, I've got it!

Thanks to advice from Oliver from OxLug, I've tried this:

iptables -t nat -I PREROUTING X -s Y -j ACCEPT

X == prerouting list number (in my case 1)

Y == ip address of authenticated user

So if "joe" using 192.168.1.120 authenticates, I launce:

iptables -t nat -I PREROUTING 1 -s 192.168.1.120 -j ACCEPT

That inserts the prerouting rule for 192.168.1.120 before the general redirect and all is good!


 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top