Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm not sure how to search for what I'm about to ask as I'm not even sure what it is I'm asking.
Anyway, I'm creating a firewall script and wanted to know if there was a method of retrieving an IP address of a live connection.
Let me digress a little in order to expound a little more on my problem. In sendmail.cf file, you can force it to not expand a macro during loading, but that macro expands whenever a mail message comes in. What I'm looking for is something similar for iptables - is this possible?
I want to retrieve the live IP address that is currently traversing the firewall rules, determine if it belongs to one of many allowed subnets, and DNAT it accordingly in the PREROUTING chain before it hits the routing process.
I want to retrieve the live IP address that is currently traversing the firewall rules, determine if it belongs to one of many allowed subnets, and DNAT it accordingly in the PREROUTING chain before it hits the routing process.
Maybe I don't understand the question, as what you mention is exactly what iptables is for. By definition iptables must consider _every_ ip address that tries to connect to your computer.
Let's say your subnet is 192.168.0.1/24:
Okay - maybe I was a little vague. Let me explain a little further:
I have some trusted subnets that I need to grant access to the server in question. I want all traffic originiating from a host in any of these subnets to be returned. This one is easy and I've got a script creating the rules.
The tough part is this - Since this is not such a powerful machine, I've got another system running an IDS and I want any traffic not coming from the trusted subnets to be redirected to the IDS system. The challenge is that the PREROUTING chain in the NAT table is hit before traffic gets to my INPUT chain and thus I'm in a quandary as to where to perform my DNAT!
I've struggled with this and still haven't come up with an answer! I hope this will elicit more help.
Let me explain even further - I'm not very good at this as you've gathered by now.
Okay, let's say I have 50 subnets that I trust and want to give access to my resource. I want to allow traffic to/fro these subnets. However, (and I'm correcting myself here), I want any traffic that manages to get to my server that does not belong to any of the trusted subnets to be sent back, not to the host that requested it, but to the IDS server. In other words, all the IDS server wants to know is what the illegal hosts were after!
My dillema is not in which chain to add the rules, but the sequence. For instance, I know that I'll be adding the rule in the OUTPUT chain of the "nat" table. However, it simply cannot be one rule as this would catch the good hosts as well. As such, I have to test all the good subnets first and let their return traffic through, but redirect, via DNAT, illegal attempts at getting to my resources.
The only way I'm seeing to get this to work is to have the following rule for each trusted subnet:
and then have the last rule as a catchall to send illegal requests back to my IDS:
Code:
-t nat -A OUTPUT -j DNAT --to-detination $IDS
From the red rule for trusted subnets, does the return range mean that the server will broadcast the response?
This is where I was thinking that a known variable that holds the IP address of whatever host is attempting a connection via iptables traversal would come in handy. I could save the IP in my own variable and use it for my DNAT rules instead of a range.
am I making sense now or have I made it totally incomprehensible?
The DNAT method I was using above is for load balancing. This will not work in my situation as a response to a host in a trusted subnet is not guaranteed to get back to that particular host.
As such, my ingress checks will happen at the PREROUTING chain in the 'nat' table and any host from an untrusted subnet will be SNAT'd to the IDS system!
Woo hoo - fixed it all on my own after a bunch of coffee's. Also, knowing how to phrase a Google search helps a whole lot!
Cheers,
kb.
---------Edit
Oh dang it. After thinking about it a little further, I've just realized that I'm in the same quandary. How do I SNAT back to the trusted host making the current connection request if I do not know from where they came? I'd have to know their IP address in order to SNAT - wouldn't I??? Surely, ther has to be a way to determine the IP address of whatever is currently traversing the tables!!!
This is really killing me!
I'm now confusing where I do my DNAT and SNAT - I think it's time to go to bed - 26 hrs of being awake is not helping!
Later,
kb.
Last edited by thekillerbean; 02-11-2006 at 09:59 PM.
I can't go to bed until I find a solution to this problem. I've got a project that is relying on these rules to be in place. My problem right now is that I'm only allowed DNAT and REDIRECT in the PREROUTING chain. If I could use ACCEPT (what are the repurcussions anyway), I'd be able to go to bed right away.
The most logical place to perform ingress checks is in the PREROUTING chain so I'm now concentrating on this one. My thoughts are to do as follows:
Code:
x=1
while [ $x -le $totalsubnets ]
do
iptables -t nat -A PREROUTING -s $SUBNETx -j ACCEPT
done
iptables -t nat -A PREROUTING -j DNAT --to-destination $IDS
If the ACCEPT target cannot be used (and per the documentation it should be avoided), then I'm really stuck between a rock and a very hard place!!!
If anyone can think of another solution to my problems, please dump all ideas in here - I'm getting desperate!
Cheers,
kb.
-----Edit
I've come to the conclusion that initial requirement cannot be met - allow intruder to actually request a connection on the firewall machine, but have any responses go to the IDS system. As such, my solution is to send any and all requests from untrusted subnets to the IDS. This way, I can fully protect the firewall box from intrusion!
Last edited by thekillerbean; 02-11-2006 at 10:25 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
