Iptables mac-match VS. transparent proxy

mchanea · 12-21-2004, 05:40 AM

I made an ipXmac matching policy on my firewall to allow only matching users to have any kind of access, but the problem is that I also have a transparent proxy rule that won't work anymore.
Here's my NAT'S prerouting table:

Chain PREROUTING (policy ACCEPT)
target prot source destination
ACCEPT all -- 192.168.10.69 0.0.0.0/0 MAC 02:02:A5:XX:XX:XX
ACCEPT all -- 192.168.10.73 0.0.0.0/0 MAC 00:0C:6E:XX:XX:XX
ACCEPT all -- 192.168.10.70 0.0.0.0/0 MAC 00:11:2F:XX:XX:XX
DROP all -- 192.168.10.0/24 0.0.0.0/0
REDIRECT tcp -- 192.168.10.0/24 0.0.0.0/0 tcp dpt:80 redir ports 3128

Example: The user with the IP 192.168.10.69 will only have granted access (ACCEPT) if his NIC's MAC will be 02:02:A5:XX:XX:XX.
The problem is that the last rule (the transparent proxy's one) is being ignored. It means, as soon as the user is accepted by the mac-match rule, it goes directly to the port 80 it's requesting, it's not being redirected to the port 3128.
Any ideas?

Marcelo Chanea,
Rio de Janeiro, Brasil.

Capt_Caveman · 12-21-2004, 08:39 AM

Try putting the REDIRECT rule earlier on. It looks like the "DROP all -- 192.168.10.0/24 0.0.0.0/0 " rule will drop the same packets that the REDIRECT rule is trying to redirect. Because the drop target is "chain-terminating" the packets will never reach the redirect rule.

It also might help to post your firewall script, because the accept and drop rules in the prerouting chain look like they are in the wrong place (they look like they should be in INPUT or FORWARD).

newpenguin · 12-22-2004, 05:41 AM

do the filtering stuff in mangle table's prerouting chain.

do the nat in nat table.

mchanea · 12-22-2004, 06:30 AM

The problem is that if I put the Redirect rule right before the Drop one, it will still not work because as soon as the packets pass through the Accept rule they will go out immediately from the NAT table to the Filter table.
The only thing I need is that in first place the IP/MAC matching might be checked and if they match (ie the user is accepted) the packets that have the 80 port as destination will be redirected to the squid, otherwise, follow to the filter table.
just to make it clear, I also have the same rules for IP/Mac matching on the Filter Forward table.

About the mangle table, could you be more specific? The only use I've ever made in mangle was marking packets. Is the mangle table read before the NAT table? Do you know any link on the internet that shows the exact order of the netfilter tables?

mchanea · 12-22-2004, 06:42 AM

I asked about the Netfilter order and I have just found an excellent link:

http://www.faqs.org/docs/iptables/tr...goftables.html

I will study it deeply to see if it helps.