LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-01-2005, 02:08 PM   #1
com90185
LQ Newbie
 
Registered: Feb 2005
Distribution: Redhat 9
Posts: 5

Rep: Reputation: 0
Question blocking mac address and NAT


Hi ALL,

I have a linux box running squid and iptables for Transparent proxy. I was lookin for permiting connection just a valid computers. Then i read the message DESPERATE: Iptables block users by MAC address. I probe the advised that je_fro post it and all is ok.

But when i including it to my rules the clients can connect to Web request. But when the clients need connect via ssh to other servers can't do it. If i comment blocking mac address rule, they can connect ssh without problem.
I follow the advised that ranjan303 post it but don't work. What do u suggest me?

thanks a lot to everyone
####################################################################
#!/bin/bash
echo -e Beginning rules.........
#inicializa modulos

/sbin/depmod -a

#modules
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Flush all

/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F

# default policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP

############# blockin computers via mac address
/sbin/iptables -N MAC_RULE
#valid computers (just test)
/sbin/iptables -A MAC_RULE -i eth1 -m mac --mac-source 00:11:02:C1:F4:BF -j ACCEPT
/sbin/iptables -A MAC_RULE -i eth1 -m mac --mac-source 00:11:12:12:C3:B7 -j ACCEPT
#the rest is block
/sbin/iptables -A MAC_RULE -j DROP

/sbin/iptables -A INPUT -p tcp -j MAC_RULE
/sbin/iptables -A FORWARD -p tcp -j MAC_RULE


##### blocking syn flooding
/sbin/iptables -N syn-flood
/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
/sbin/iptables -A syn-flood -j DROP


##### no spoofing
/sbin/iptables -A INPUT -i eth0 -s $IPLOCAL -j DROP

######## let ssh connection
/sbin/iptables -A INPUT -s $MAQ1 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -d $MAQ1 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT

################### NAT:

/sbin/iptables -t nat -A POSTROUTING -o eth0 -s $LOCALNET -d 0/0 -j SNAT --to-source $VALIDIP
#####
#/sbin/iptables -A FORWARD -j MAC_RULE #adding this line, don't work yet
#######
/sbin/iptables -A FORWARD -i eth1 -o eth0 -s $LOCALNET -d 0/0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


############### Forwarding PORTS

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $VALIDIP --dport 22 -j DNAT --to-destination $LOCALSERVER:22


/sbin/iptables -A FORWARD -p tcp -i eth0 -o eth1 -d $LOCALSERVER --dport 22 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $VALIDIP --dport 443 -j DNAT --to-destination $LOCALSERVER2:443

/sbin/iptables -A FORWARD -p tcp -i eth0 -o eth1 -d $LOCALSERVER2 --dport 443 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

######### Forwarding connection to port 80 to squid proxy port 3128 (in the same linux box)

/sbin/iptables -t nat -A PREROUTING -i eth1 -s $LOCALNET -p tcp --dport 80 -j REDIRECT --to-port 3128

/sbin/iptables -A INPUT -p tcp -i eth1 -s $LOCALNET -d $IPSERVERLOCAL --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

echo -e Ending rules .....................................................

#####################################################################
 
Old 03-01-2005, 02:17 PM   #2
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 117Reputation: 117
First off, happy birthday.

Secondly, it seems that the packets are getting picked up by the mac filtering rule before they get to the ssh accept rules. I'm not 100% sure on your problem, but this is all that I could see that could be related. Can you give a clearer example, including MAC of the client and the server(s) in question?
 
Old 03-01-2005, 05:00 PM   #3
com90185
LQ Newbie
 
Registered: Feb 2005
Distribution: Redhat 9
Posts: 5

Original Poster
Rep: Reputation: 0
example

well, i two servers $IPSERVER1=192.168.1.6 , $IPSERVER2=192.168.1.7, and only a valid ip that distributed ssh and sweb services.
This server and clients (192.168.1.8-20) see the 192.168.1.3 like a gateway.
I use 192.168.1.8 and .9 with the mac address appear in the last message are correct.
When someone try to connect to ssh o sweb services all is ok. (forwarding port) .
When the clients connect to web all is ok (transparent proxy).
When the clients try to connect to other servers via ssh, they can't.
I hope my information will be more clear
Thans a lot
 
Old 03-01-2005, 07:34 PM   #4
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 117Reputation: 117
Are you trying to use portforwarding on the same subnet? I.e., bounce off .3 to .6 and .7?
 
Old 03-03-2005, 03:34 PM   #5
com90185
LQ Newbie
 
Registered: Feb 2005
Distribution: Redhat 9
Posts: 5

Original Poster
Rep: Reputation: 0
thanks again,
yes im doing that
 
Old 03-03-2005, 03:55 PM   #6
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 117Reputation: 117
You cannot portforward from within the same network. It has to do with the path that the packets take. There are some good resources online that explain it better than I can, but here's the short of it.

192.168.0.1 opens a connection to 192.168.0.2 which portforwards to 192.168.0.3. 192.168.0.3 replies DIRECTLY to 192.168.0.1, confusing 192.168.0.1 as to the status of the connection. Remember: tcp/ip connections are dependent upon two things: addresses and port numbers.

To do what you want to achieve, you'd need a transparent proxy for the protocol you are using.
 
Old 03-07-2005, 06:37 PM   #7
com90185
LQ Newbie
 
Registered: Feb 2005
Distribution: Redhat 9
Posts: 5

Original Poster
Rep: Reputation: 0
ok. You are wright. But im trying to connect to others severs not the ssh server inside my LAN.
For example if i try to connect to www.google.com via navigator i can do that (like a client), when im trying to connect to a domain.org via ssh user@domain.org, its blocking.
If i comment the lines with mac address validation, again i can connect to other domain.org via ssh.
I check other comments in the Thread: DESPERATE : Iptables block users by MAC address. in this forum. And the author ranjan303 add this lines

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#################################################
$IPTABLES -A FORWARD -j MAC_RULE
##################################################
$IPTABLES -A FORWARD -j ACCEPT -i $INTIF -s $INTERNAL_NET
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
and all works fine, if i do the same but with the SNAT (i havent probe with masquerade)
i cant connect via ssh to external servers

thanks again
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to get ip address, broadcast address, mac address of a machine sumeshstar Programming 2 03-12-2005 04:33 AM
blocking mac address using iptables Kendo1979 Linux - Networking 9 10-25-2004 04:09 AM
iptables - blocking a host by MAC address retiem Linux - Security 6 08-29-2003 11:58 AM
iptables: limiting nat by mac address bfisk Linux - Security 1 08-19-2003 11:22 AM
blocking connection through MAC address shahriars Linux - Security 7 06-02-2003 01:45 PM


All times are GMT -5. The time now is 01:26 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration