Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

iptables DNAT question

Status
Not open for further replies.
kubla

kubla

Programmer
Feb 7, 2002
50
0
0
IT
Dear All,

I'm trying to do the following with my firewall:

1) redirect all web traffic to my gateway until a user is authenticated.

2) after authentication, add their ip to those allowed to surf.

I've achieved point 1 with the following iptables rule:

iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j DNAT --to 192.168.1.1

What I want to do now is on a per-ip basis drop this rule... but I can't find the syntax to do it... ideas?

 
Sort by date Sort by votes

Try:

iptables -t nat -A PREROUTING -s 192.168.1.10/32 -p tcp --dport 80 -j DNAT --to your-routers-ipaddress

but it would have to be before the other rule.
 
Upvote 0 Downvote
Thanks Eric.

I don't think I really explained myself all that well in my first post.

I'm need to do things dynamically so can't have the per-ip rules before the general redirect... which is why I'm thinking that perhaps what I want to do can't be done...

I have a seperate account creation and authentication module and have a firewall which restricts access strictly to the gateway/authentication server until a user has authenticated (authentication launches a shell script which runs a series of iptables rules letting the user past the Gateway). All that is functioning famously.

What I wanted to do though is have a mechanism which automagically redirects users to the authentication page should they neglect to login first no matter what they type into their browsers. At the moment, they have to type in the ip/hostname of the authentication server.

The DNAT rule does that; however, after authentication, users can get out using all protocols permitted by the firewall *except* http which continues to be routed to 192.168.1.1

What I'm puzzling over is whether or not I can, on a per-ip basis, override this rule. I'm beginning to think that I can't ...

 
Upvote 0 Downvote
OK, I've got it!

Thanks to advice from Oliver from OxLug, I've tried this:

iptables -t nat -I PREROUTING X -s Y -j ACCEPT

X == prerouting list number (in my case 1)

Y == ip address of authenticated user

So if "joe" using 192.168.1.120 authenticates, I launce:

iptables -t nat -I PREROUTING 1 -s 192.168.1.120 -j ACCEPT

That inserts the prerouting rule for 192.168.1.120 before the general redirect and all is good!


 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AbidingDude
  • Locked
  • Question
Newbie Apache Cache Question
Replies
5
Views
114
AbidingDude
AbidingDude
johngiggs
  • Locked
  • Question
Regex Question
Replies
1
Views
50
johngiggs
johngiggs
fzx5v0
  • Locked
  • Question
IPTables outgoing firewall rules
Replies
1
Views
49
minicompbx
minicompbx
abrooks3640
  • Locked
  • Question
Two Servers on One Machine - iframe question
Replies
0
Views
34
abrooks3640
abrooks3640
MichealC4
  • Locked
  • Question
iptables + gre + masquerade = doesn't work?
Replies
1
Views
71
MichealC4
MichealC4

Part and Inventory Search

Sponsor

Back
Top