blocking mac address and NAT

com90185 · 03-01-2005, 02:08 PM

Hi ALL,

I have a linux box running squid and iptables for Transparent proxy. I was lookin for permiting connection just a valid computers. Then i read the message DESPERATE: Iptables block users by MAC address. I probe the advised that je_fro post it and all is ok.

But when i including it to my rules the clients can connect to Web request. But when the clients need connect via ssh to other servers can't do it. If i comment blocking mac address rule, they can connect ssh without problem.
I follow the advised that ranjan303 post it but don't work. What do u suggest me?

thanks a lot to everyone
####################################################################
#!/bin/bash
echo -e Beginning rules.........
#inicializa modulos

/sbin/depmod -a

#modules
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Flush all

/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F

# default policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP

############# blockin computers via mac address
/sbin/iptables -N MAC_RULE
#valid computers (just test)
/sbin/iptables -A MAC_RULE -i eth1 -m mac --mac-source 00:11:02:C1:F4:BF -j ACCEPT
/sbin/iptables -A MAC_RULE -i eth1 -m mac --mac-source 00:11:12:12:C3:B7 -j ACCEPT
#the rest is block
/sbin/iptables -A MAC_RULE -j DROP

/sbin/iptables -A INPUT -p tcp -j MAC_RULE
/sbin/iptables -A FORWARD -p tcp -j MAC_RULE

##### blocking syn flooding
/sbin/iptables -N syn-flood
/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
/sbin/iptables -A syn-flood -j DROP

##### no spoofing
/sbin/iptables -A INPUT -i eth0 -s $IPLOCAL -j DROP

######## let ssh connection
/sbin/iptables -A INPUT -s $MAQ1 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -d $MAQ1 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT

################### NAT:

/sbin/iptables -t nat -A POSTROUTING -o eth0 -s $LOCALNET -d 0/0 -j SNAT --to-source $VALIDIP
#####
#/sbin/iptables -A FORWARD -j MAC_RULE #adding this line, don't work yet
#######
/sbin/iptables -A FORWARD -i eth1 -o eth0 -s $LOCALNET -d 0/0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

############### Forwarding PORTS

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $VALIDIP --dport 22 -j DNAT --to-destination $LOCALSERVER:22

/sbin/iptables -A FORWARD -p tcp -i eth0 -o eth1 -d $LOCALSERVER --dport 22 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $VALIDIP --dport 443 -j DNAT --to-destination $LOCALSERVER2:443

/sbin/iptables -A FORWARD -p tcp -i eth0 -o eth1 -d $LOCALSERVER2 --dport 443 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

######### Forwarding connection to port 80 to squid proxy port 3128 (in the same linux box)

/sbin/iptables -t nat -A PREROUTING -i eth1 -s $LOCALNET -p tcp --dport 80 -j REDIRECT --to-port 3128

/sbin/iptables -A INPUT -p tcp -i eth1 -s $LOCALNET -d $IPSERVERLOCAL --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

echo -e Ending rules .....................................................

#####################################################################

Matir · 03-01-2005, 02:17 PM

First off, happy birthday.

Secondly, it seems that the packets are getting picked up by the mac filtering rule before they get to the ssh accept rules. I'm not 100% sure on your problem, but this is all that I could see that could be related. Can you give a clearer example, including MAC of the client and the server(s) in question?

com90185 · 03-01-2005, 05:00 PM

well, i two servers $IPSERVER1=192.168.1.6 , $IPSERVER2=192.168.1.7, and only a valid ip that distributed ssh and sweb services.
This server and clients (192.168.1.8-20) see the 192.168.1.3 like a gateway.
I use 192.168.1.8 and .9 with the mac address appear in the last message are correct.
When someone try to connect to ssh o sweb services all is ok. (forwarding port) .
When the clients connect to web all is ok (transparent proxy).
When the clients try to connect to other servers via ssh, they can't.
I hope my information will be more clear
Thans a lot

Matir · 03-01-2005, 07:34 PM

Are you trying to use portforwarding on the same subnet? I.e., bounce off .3 to .6 and .7?

com90185 · 03-03-2005, 03:34 PM

thanks again,
yes im doing that

Matir · 03-03-2005, 03:55 PM

You cannot portforward from within the same network. It has to do with the path that the packets take. There are some good resources online that explain it better than I can, but here's the short of it.

192.168.0.1 opens a connection to 192.168.0.2 which portforwards to 192.168.0.3. 192.168.0.3 replies DIRECTLY to 192.168.0.1, confusing 192.168.0.1 as to the status of the connection. Remember: tcp/ip connections are dependent upon two things: addresses and port numbers.

To do what you want to achieve, you'd need a transparent proxy for the protocol you are using.

com90185 · 03-07-2005, 06:37 PM

ok. You are wright. But im trying to connect to others severs not the ssh server inside my LAN.
For example if i try to connect to www.google.com via navigator i can do that (like a client), when im trying to connect to a domain.org via ssh user@domain.org, its blocking.
If i comment the lines with mac address validation, again i can connect to other domain.org via ssh.
I check other comments in the Thread: DESPERATE : Iptables block users by MAC address. in this forum. And the author ranjan303 add this lines

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#################################################
$IPTABLES -A FORWARD -j MAC_RULE
##################################################
$IPTABLES -A FORWARD -j ACCEPT -i $INTIF -s $INTERNAL_NET
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
and all works fine, if i do the same but with the SNAT (i havent probe with masquerade)
i cant connect via ssh to external servers

thanks again