Re: How to kill DNAT'ed connection
В Птн, 09/06/2006 в 08:38 +0100, Rene Mayrhofer пишет:
> Am Friday 09 June 2006 08:29 schrieb Покотиленко Костик:
> > This problem now solved using only iptables rules. If anybody interested
> > in details let me know.
> Yes, please share your solution - it will certainly be interesting to at least
> a few people and is always good to have in the archives.
To be short, here are rules that solved the question using -m mark:
# Marking DNAT'ed connections
-A PREROUTING -t mangle -s 10.1.1.0/24 -d 10.1.0.129 -j MARK --set-mark
1
-A PREROUTING -t mangle -s 10.1.1.0/24 -d 10.1.0.131 -j MARK --set-mark
2
# Allowing Marked (DNAT'ed) connections for IPs in INET_allow chain
-A FORWARD -m mark --mark 1 -j INET_allow
-A FORWARD -m mark --mark 2 -j INET_allow
# Prohibiting Marked (DNAT'ed) connections for IPs not in INET_allow
# chain
-A FORWARD -m mark --mark 1 -j REJECT --reject-with
icmp-host-unreachable
-A FORWARD -m mark --mark 2 -j REJECT --reject-with
icmp-host-unreachable
=========================================================
Well, I'll share the whole scheme. It's not really complete, but working
scheme for my needs.
ServerNet
(10.1.0.0/25)
+--------+--------+--------+
| | | |
+--+--+ +--+--+ +--+--+ +--+--+
| | | | | | | |
UserNet-----+lan-r| | ss | |bill | |wan-r+------INET
(10.1.1.0/24) | | | | | | | |
+-----+ +-----+ +-----+ +-----+
10.1.0.1 10.1.0.2 10.1.0.3 10.1.0.4
Every client in UserNet uses authentication program, which allows Inet
access from IP by a password. Authectication server is run on BILL.
Brief service description:
lan-r (UserNet router):
- internal DNS
- secondary web-server to inform users of any problems with ServerNet or
Internet connection
wan-r (Interner router)
- only firewall
ss (the superserver):
- web-server static site
- web-mail
- web-forum
- web-fileserver
- jabber-server
- mail-server
bill (billing server):
- user authentication server
- web-server user's statistics
The task is:
1. allow all clients (even not authenticated) to access:
- internal DNS
- user authentication server
- web-server static site
- web-forum
- web-server user's statistics (password protected)
2. allow to authenticated clients to access:
- web-mail
- web-fileserver
- jabber-server
- mail-server
- Internet
The complicity is in the fact that on one server (IP) there are services
that should always be available and those which available only to
authenticated clients.
For this I used DNS service mapping to not existant IPs in combination
is namebased-virtualhosts, like this
from bind configuration:
---------------------------------------
; Main fake addresses for SS
; Addresses that are always available even to unautorized clients
; should be CNAME'ed to 's1-available'
s1-available IN A 10.1.0.128
; Addresses that should be blocked from unauthorized or zero
; ballance users should be CNAME'ed to s1-closable
s1-closable IN A 10.1.0.129
; Main fake addresses for BILL
; Addresses that are always available to even unautorized clients
; should be CNAME'ed to 's2-available'
s2-available IN A 10.1.0.130
; Addresses that should be blocked from unauthorized or zero
; ballance users should be CNAME'ed to s2-closable
s2-closable IN A 10.1.0.131
; web-server static site
www IN CNAME s1-available
; web-mail
mail IN CNAME s1-closable
; mail-server
pop IN CNAME s1-closable
; mail-server
imap IN CNAME s1-closable
; mail-server
smtp IN CNAME s1-closable
; web-fileserver
files IN CNAME s1-closable
; jabber-server
chat IN CNAME s1-closable
; web-forum
forum IN CNAME s1-available
; web-server user's statistics
stat IN CNAME s2-available
; user authentication server
auth IN CNAME s2-available
---------------------------------------
Iptables rules:
1. lan-r
/etc/iptables/iptables.rules:
---------------------------------------
# Generated by iptables-save v1.2.11 on Wed May 31 17:10:43 2006
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DNAT_available - [0:0]
:DNAT_closable - [0:0]
:LNET_allow - [0:0]
:INET_allow - [0:0]
# Allowing access to 'closable' services for clients in LNET_allow chain
-A PREROUTING -s 10.1.1.0/24 -d 10.1.0.129 -j LNET_allow
-A PREROUTING -s 10.1.1.0/24 -d 10.1.0.131 -j LNET_allow
# Allowing www access to Inet for clients in INET_allow chain
# Connects from clients not in this table to www will be redirected
# to internal www-server, rest connection processed in filter table
-A PREROUTING -s 10.1.1.0/24 -d ! 10.1.0.0/24 -p tcp -m tcp --dport 80
-j INET_allow
# Redirecting www connects for cloents not in INET_allow to internal
# www-server
-A PREROUTING -s 10.1.1.0/24 -d ! 10.1.0.0/24 -p tcp -m tcp --dport 80
-j DNAT --to-destination 10.1.0.1:80
# Redirecting all connections 'available' services to real ones
-A PREROUTING -s 10.1.1.0/24 -d 10.1.0.128 -j DNAT_available
-A PREROUTING -s 10.1.1.0/24 -d 10.1.0.130 -j DNAT_available
# Redirecting unauthorized clients connecting to 'closable' services to
# internal www-server
-A PREROUTING -s 10.1.1.0/24 -d 10.1.0.129 -p tcp -m tcp --dport 80 -j
DNAT --to-destination 10.1.0.1:80
-A PREROUTING -s 10.1.1.0/24 -d 10.1.0.131 -p tcp -m tcp --dport 80 -j
DNAT --to-destination 10.1.0.1:80
# Unauthorized clients connecting to other ports would be rejected in
filter chain
#-A PREROUTING -s 10.1.1.0/255.255.255.0 -d ! 10.1.0.0/255.255.255.0 -j
ACCEPT
# Denying access to the ServerNet directly without DNAT
-A PREROUTING -s 10.1.1.0/24 -d 10.1.0.0/25 -j DROP
# Redirecting all connections to 'available' services to their real
addresses
# WWW-services on SS
-A DNAT_available -s 10.1.1.0/255.255.255.0 -d 10.1.0.128 -p tcp -m tcp
--dport 80 -j DNAT --to-destination 10.1.0.2:80
# WWW-services on BILL
-A DNAT_available -s 10.1.1.0/255.255.255.0 -d 10.1.0.130 -p tcp -m tcp
--dport 80 -j DNAT --to-destination 10.1.0.3:80
# User authentication server on BILL
-A DNAT_available -s 10.1.1.0/255.255.255.0 -d 10.1.0.130 -p udp -m udp
--dport 7723 -j DNAT --to-destination 10.1.0.3:7723
# Redirecting all connections from authorized clients to 'closable'
services
# to their real addresses
# WWW-services on SS
-A DNAT_closable -s 10.1.1.0/255.255.255.0 -d 10.1.0.129 -p tcp -m tcp
--dport 80 -j DNAT --to-destination 10.1.0.2:80
# SMTP on SS
-A DNAT_closable -s 10.1.1.0/255.255.255.0 -d 10.1.0.129 -p tcp -m tcp
--dport 25 -j DNAT --to-destination 10.1.0.2:25
# POP3 on SS
-A DNAT_closable -s 10.1.1.0/255.255.255.0 -d 10.1.0.129 -p tcp -m tcp
--dport 110 -j DNAT --to-destination 10.1.0.2:110
# IMAP on SS
-A DNAT_closable -s 10.1.1.0/255.255.255.0 -d 10.1.0.129 -p tcp -m tcp
--dport 143 -j DNAT --to-destination 10.1.0.2:143
# JABBER on SS
-A DNAT_closable -s 10.1.1.0/255.255.255.0 -d 10.1.0.129 -p tcp -m tcp
--dport 5222 -j DNAT --to-destination 10.1.0.2:5222
# Redirecting www internet connections from unauthorized clients to
# internal www-server
-A DNAT_closable -s 10.1.1.0/24 -d ! 10.1.0.0/24 -p tcp -m tcp --dport
80 -j DNAT --to-destination 10.1.0.1:80
COMMIT
# Completed on Wed May 31 17:10:43 2006
# Generated by iptables-save v1.2.11 on Wed May 31 17:10:43 2006
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:INET_allow - [0:0]
# Rejecting all connection that haven't been DNAT'ed
-A FORWARD -s 10.1.1.0/255.255.255.0 -d 10.1.0.128 -j REJECT
--reject-with icmp-host-unreachable
-A FORWARD -s 10.1.1.0/255.255.255.0 -d 10.1.0.129 -j REJECT
--reject-with icmp-host-unreachable
-A FORWARD -s 10.1.1.0/255.255.255.0 -d 10.1.0.130 -j REJECT
--reject-with icmp-host-unreachable
-A FORWARD -s 10.1.1.0/255.255.255.0 -d 10.1.0.131 -j REJECT
--reject-with icmp-host-unreachable
# Allowing Inet access to clients in INET_allow chain
-A FORWARD -s 10.1.1.0/255.255.255.0 -d ! 10.1.0.0/25 -j INET_allow
# Allowing access for clients which was redirected to local web-serverd
-A FORWARD -s 10.1.1.0/255.255.255.0 -d 10.1.0.1/32 -p tcp -m tcp
--dport 80 -j ACCEPT
# Prohibiting Inet access to clients which are not allowed in INET_allow
-A FORWARD -s 10.1.1.0/255.255.255.0 -d ! 10.1.0.0/25 -j REJECT
--reject-with icmp-host-unreachable
# Allowing existant DNAT'ed connections to 'closable' services on SS
from clients
# in INET_ALLOW chain
-A FORWARD -m mark --mark 1 -j INET_allow
# Allowing existant DNAT'ed connections to 'closable' services on BILL
from clients
# in INET_ALLOW chain
-A FORWARD -m mark --mark 2 -j INET_allow
# Prohibiting existant DNAT'ed connections to 'closable' services on SS
from clients
# not in INET_ALLOW chain
-A FORWARD -m mark --mark 1 -j REJECT --reject-with
icmp-host-unreachable
# Prohibiting existant DNAT'ed connections to 'closable' services on
BILL from clients
# not in INET_ALLOW chain
-A FORWARD -m mark --mark 2 -j REJECT --reject-with
icmp-host-unreachable
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Marking DNAT'ed connations to 'closable' services on SS
-A PREROUTING -s 10.1.1.0/24 -d 10.1.0.129 -j MARK --set-mark 1
# Marking DNAT'ed connations to 'closable' services on BILL
-A PREROUTING -s 10.1.1.0/24 -d 10.1.0.131 -j MARK --set-mark 2
COMMIT
# Completed on Wed May 31 17:10:43 2006
---------------------------------------
2. wan-r
/etc/iptables/iptables.rules:
---------------------------------------
# Generated by iptables-save v1.2.11 on Wed May 24 22:19:09 2006
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# SNAT'ing allowed connections from UserNet
-A POSTROUTING -s 10.1.1.0/24 -d ! 10.1.1.0/24 -j SNAT --to-source
<external-ip>
# SNAT'ing connections from ServerNet
-A POSTROUTING -s 10.1.0.0/25 -d ! 10.1.0.0/25 -j SNAT --to-source
<external-ip>
COMMIT
# Completed on Wed May 24 22:19:09 2006
# Generated by iptables-save v1.2.11 on Wed May 24 22:19:09 2006
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:INET_allow - [0:0]
# Allowing forwarding from clients in INET_allow chain
-A FORWARD -s 10.1.1.0/24 -j INET_allow
# Allowing forwarding to clients in INET_allow chain
-A FORWARD -d 10.1.1.0/24 -j INET_allow
# Prohibiting forwarding from clients not in INET_allow chain
-A FORWARD -s 10.1.1.0/24 -j REJECT --reject-with icmp-host-unreachable
# Prohibiting forwarding to clients not in INET_allow chain
-A FORWARD -d 10.1.1.0/24 -j REJECT --reject-with icmp-host-unreachable
COMMIT
# Completed on Wed May 24 22:19:09 2006
---------------------------------------
When authentication server authorizes/unauthorizes a client the next
scripts are being run:
1. On lan-r
OnConnect.sh:
---------------------------------------
iptables -A LNET_allow -t nat -s $IP -j DNAT_closable
iptables -A INET_allow -t nat -s $IP -j ACCEPT
iptables -A INET_allow -s $IP -j ACCEPT
---------------------------------------
OnDisconnect.sh:
---------------------------------------
iptables -D LNET_allow -t nat -s $IP -j DNAT_closable
iptables -D INET_allow -t nat -s $IP -j ACCEPT
iptables -D INET_allow -s $IP -j ACCEPT
---------------------------------------
1. On wan-r
OnConnect.sh:
---------------------------------------
iptables -A INET_allow -s $IP -j ACCEPT
iptables -A INET_allow -d $IP -j ACCEPT
---------------------------------------
OnDisconnect.sh:
---------------------------------------
iptables -D INET_allow -s $IP -j ACCEPT
iptables -D INET_allow -d $IP -j ACCEPT
---------------------------------------
======================================
I would also glad to hear what you think of this scheme.
--
Покотиленко Костик <casper@meteor.dp.ua>
Reply to: