Differences between revisions 10 and 12 (spanning 2 versions)
Revision 10 as of 2005-03-10 04:06:01
Size: 5559
Editor: WikiMinion
Comment:
Revision 12 as of 2005-03-16 09:08:15
Size: 5559
Editor: WikiMinion
Comment:
No differences found!

Notes on nocat exception rules.

Here are notes of an attempt to adapt [http://lists.nocat.net/pipermail/nocat/2003-August/003543.html] for use at PTP Node375 and should eventually be generalized.

An earlier post is simpler and does not include the port forwarding. [http://lists.nocat.net/pipermail/nocat/2003-February/002816.html]

Two cases:

  • Allow a specific ip_number,mac_addr pair through firewall before nocat splash rules apply. (nocat exception)
  • Allow inbound traffic to specific ports of the external interface of the nocat box to forward into an internal machine. (port forwarding)

Currently this setup works in the first case but not the second. One thing that is different here is when the script is called. I simpilifed by putting it into initialize.fw and perhaps it should happen elsewhere as dmzs recommends.

Setup notes for Node375

A. Add the following line to the end of /usr/share/nocatauth/gateway/bin/initialize.fw 

  • /usr/share/nocatauth/gateway/bin/intel.rules.sh

B. Add the following lines to /etc/dhcpd.conf 

  • host cowcam {
 hardware ethernet 00:06:25:1A:5E:57;
 fixed-address 10.11.19.12;
 option host-name "cowcam";
}

host bbs {
 hardware ethernet 00:04:23:48:7E:98;
 fixed-address 10.11.19.99;
 option host-name "bbs";
}

C. Create new file /usr/share/nocatauth/gateway/bin/intel.rules.sh

  • and change permissions to a+x 
  • /usr/share/nocatauth/gateway/bin/exception-portfwd.sh permit 10.11.19.99 00:04:23:48:7E:98 eth0 19931 5631 tcp
/usr/share/nocatauth/gateway/bin/exception-portfwd.sh permit 10.11.19.12 00:06:25:1A:5E:57 eth0 11231 5631 tcp
/usr/share/nocatauth/gateway/bin/exception-portfwd.sh permit 10.11.19.99 00:04:23:48:7E:98 eth0 19932 5632 udp
/usr/share/nocatauth/gateway/bin/exception-portfwd.sh permit 10.11.19.12 00:06:25:1A:5E:57 eth0 11232 5632 udp

NOTE: This leads to extra rules that are redundant in order to allow tcp and udp to be set on the command line. The script needs to be reworked to fix.

D. Create new file /usr/share/nocatauth/gateway/bin/exception-portfwd.sh

  • and change permissions to a+x 
  • ##
# 02-14-03 dmz@dmzs.com
# 02-16-03 dmz@dmzs.com - modified to work with host on specific interface
# 07-30-03 dmz@dmzs.com - added inbound DNAT redirection from extport to dstport on specified host
# 09-03-04 amj@personaltelco.net - added seventh option to support tcp|udp portfwd cmd line option
#
# eth0 is default outbound interface
#
# Set a permanent exception to the NoCat rules.
#
# This is useful to run at boot time, after you load the firewall
# modules, but before bin/gateway runs.
#
# NOTE: To use elsewhere change the external ip for the nocat box in the script below. 
#
if [ -z "$1" -o -z "$2" -o -z "$3" -o -z "$4" ]; then
  echo "Usage:  $0 [permit|deny] [ host ] [ mac address ] [ eth ] [ extport ] [ dstport ] [ tcp|udp ]"
  echo
  echo "Adds a host + MAC to the exception list for NoCat.  Any machine"
  echo "specified by this utility won't have to login, and will be granted"
  echo "owner status."
  exit 1
fi

if [ "$1" = "permit" ]; then
  # Mangle packet for source IP & MAC, set to Owner level (MARK 1)
    echo iptables -t mangle -A PREROUTING -i $4 -m mac --mac-source $3 -s $2 -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -i $4 -m mac --mac-source $3 -s $2 -j MARK --set-mark 1
  # Insert at top of FORWARD filter to forward traffic for IP (masq handled by MARK) in $4 out eth0
    echo iptables -t filter -I FORWARD 1 -i $4 -s $2 -j ACCEPT
    iptables -t filter -I FORWARD 1 -i $4 -s $2 -j ACCEPT
    echo iptables -t filter -I FORWARD 1 -i eth0 -d $2 -j ACCEPT
    iptables -t filter -I FORWARD 1 -i eth0 -d $2 -j ACCEPT
  # Insert MASQ rule for permitted host
    echo iptables -t nat -I POSTROUTING 1 -o eth0 -s $2 -m mark --mark 1 -j MASQUERADE
    iptables -t nat -I POSTROUTING 1 -o eth0 -s $2 -m mark --mark 1 -j MASQUERADE
  # Insert port forwarding if in cmd line
    if [ "$5" ]; then
      iptables -t nat -I PREROUTING 1 -i eth0 -d 64.122.41.37 -p $7 --dport $5 -j DNAT --to-destination $2:$6
      echo iptables -t nat -I PREROUTING 1 -i eth0 -d 64.122.41.37 -p $7 --dport $5 -j DNAT --to-destination $2:$6
    fi
elif [ "$1" = "deny" ]; then
  # Delete Mangle packet for source IP & MAC, set to Owner level (MARK 1)
  echo iptables -t mangle -D PREROUTING -i $4 -m mac --mac-source $3 -s $2 -j MARK --set-mark 1
    iptables -t mangle -D PREROUTING -i $4 -m mac --mac-source $3 -s $2 -j MARK --set-mark 1
  # Delete at top of FORWARD filter to forward traffic for IP (masq handled by MARK)
    echo iptables -t filter -D FORWARD -i $4 -s $2 -j ACCEPT
    iptables -t filter -D FORWARD  -s $2 -i $4 -j ACCEPT
   echo iptables -t filter -D FORWARD -i eth0 -d $2 -j ACCEPT
    iptables -t filter -D FORWARD -i eth0 -d $2 -j ACCEPT
  # Delete MASQ rule for permitted host
    echo iptables -t nat -D POSTROUTING -o eth0 -s $2 -m mark --mark 1 -j MASQUERADE
    iptables -t nat -D POSTROUTING -o eth0 -s $2 -m mark --mark 1 -j MASQUERADE
    if [ "$5" ]; then
      iptables -t nat -D PREROUTING -i eth0 -d 64.122.41.37 -p $7 --dport $5 -j DNAT --to-destination $2:$6
      echo iptables -t nat -D PREROUTING -i eth0 -d 64.122.41.37 -p $7 --dport $5 -j DNAT --to-destination $2:$6
    fi
else
    echo "FATAL: Bad action: $action!"
    exit 1
fi

E. Restart the services 

  • /etc/init.d/dhcp restart  
/etc/init.d/nocatauth-gateway restart

NoCatException (last edited 2007-11-23 18:01:12 by localhost)