Notes on nocat exception rules.

Here are notes of an attempt to adapt [http://lists.nocat.net/pipermail/nocat/2003-August/003543.html] for use at PTP Node375 and should eventually be generalized.

An earlier post is simpler and does not include the port forwarding. [http://lists.nocat.net/pipermail/nocat/2003-February/002816.html]

Two cases:

• Allow a specific ip_number,mac_addr pair through firewall before nocat splash rules apply. (nocat exception)
• Allow inbound traffic to specific ports of the external interface of the nocat box to forward into an internal machine. (port forwarding)

Currently this setup works in the first case but not the second. One thing that is different here is when the script is called. I simpilifed by putting it into initialize.fw and perhaps it should happen elsewhere as dmzs recommends.

Setup notes for Node375

A. Add the following line to the end of /usr/share/nocatauth/gateway/bin/initialize.fw

• /usr/share/nocatauth/gateway/bin/intel.rules.sh

B. Add the following lines to /etc/dhcpd.conf

• host cowcam {
   hardware ethernet 00:06:25:1A:5E:57;
   fixed-address 10.11.19.12;
   option host-name "cowcam";
  }
  
  host bbs {
   hardware ethernet 00:04:23:48:7E:98;
   fixed-address 10.11.19.99;
   option host-name "bbs";
  }

C. Create new file /usr/share/nocatauth/gateway/bin/intel.rules.sh

• and change permissions to a+x

• /usr/share/nocatauth/gateway/bin/exception-portfwd.sh permit 10.11.19.99 00:04:23:48:7E:98 eth0 19931 5631 tcp
  /usr/share/nocatauth/gateway/bin/exception-portfwd.sh permit 10.11.19.12 00:06:25:1A:5E:57 eth0 11231 5631 tcp
  /usr/share/nocatauth/gateway/bin/exception-portfwd.sh permit 10.11.19.99 00:04:23:48:7E:98 eth0 19932 5632 udp
  /usr/share/nocatauth/gateway/bin/exception-portfwd.sh permit 10.11.19.12 00:06:25:1A:5E:57 eth0 11232 5632 udp

NOTE: This leads to extra rules that are redundant in order to allow tcp and udp to be set on the command line. The script needs to be reworked to fix.

D. Create new file /usr/share/nocatauth/gateway/bin/exception-portfwd.sh

• and change permissions to a+x

• ##
  # 02-14-03 dmz@dmzs.com
  # 02-16-03 dmz@dmzs.com - modified to work with host on specific interface
  # 07-30-03 dmz@dmzs.com - added inbound DNAT redirection from extport to dstport on specified host
  # 09-03-04 amj@personaltelco.net - added seventh option to support tcp|udp portfwd cmd line option
  #
  # eth0 is default outbound interface
  #
  # Set a permanent exception to the NoCat rules.
  #
  # This is useful to run at boot time, after you load the firewall
  # modules, but before bin/gateway runs.
  #
  # NOTE: To use elsewhere change the external ip for the nocat box in the script below. 
  #
  if [ -z "$1" -o -z "$2" -o -z "$3" -o -z "$4" ]; then
    echo "Usage:  $0 [permit|deny] [ host ] [ mac address ] [ eth ] [ extport ] [ dstport ] [ tcp|udp ]"
    echo
    echo "Adds a host + MAC to the exception list for NoCat.  Any machine"
    echo "specified by this utility won't have to login, and will be granted"
    echo "owner status."
    exit 1
  fi
  
  if [ "$1" = "permit" ]; then
    # Mangle packet for source IP & MAC, set to Owner level (MARK 1)
      echo iptables -t mangle -A PREROUTING -i $4 -m mac --mac-source $3 -s $2 -j MARK --set-mark 1
      iptables -t mangle -A PREROUTING -i $4 -m mac --mac-source $3 -s $2 -j MARK --set-mark 1
    # Insert at top of FORWARD filter to forward traffic for IP (masq handled by MARK) in $4 out eth0
      echo iptables -t filter -I FORWARD 1 -i $4 -s $2 -j ACCEPT
      iptables -t filter -I FORWARD 1 -i $4 -s $2 -j ACCEPT
      echo iptables -t filter -I FORWARD 1 -i eth0 -d $2 -j ACCEPT
      iptables -t filter -I FORWARD 1 -i eth0 -d $2 -j ACCEPT
    # Insert MASQ rule for permitted host
      echo iptables -t nat -I POSTROUTING 1 -o eth0 -s $2 -m mark --mark 1 -j MASQUERADE
      iptables -t nat -I POSTROUTING 1 -o eth0 -s $2 -m mark --mark 1 -j MASQUERADE
    # Insert port forwarding if in cmd line
      if [ "$5" ]; then
        iptables -t nat -I PREROUTING 1 -i eth0 -d 64.122.41.37 -p $7 --dport $5 -j DNAT --to-destination $2:$6
        echo iptables -t nat -I PREROUTING 1 -i eth0 -d 64.122.41.37 -p $7 --dport $5 -j DNAT --to-destination $2:$6
      fi
  elif [ "$1" = "deny" ]; then
    # Delete Mangle packet for source IP & MAC, set to Owner level (MARK 1)
    echo iptables -t mangle -D PREROUTING -i $4 -m mac --mac-source $3 -s $2 -j MARK --set-mark 1
      iptables -t mangle -D PREROUTING -i $4 -m mac --mac-source $3 -s $2 -j MARK --set-mark 1
    # Delete at top of FORWARD filter to forward traffic for IP (masq handled by MARK)
      echo iptables -t filter -D FORWARD -i $4 -s $2 -j ACCEPT
      iptables -t filter -D FORWARD  -s $2 -i $4 -j ACCEPT
     echo iptables -t filter -D FORWARD -i eth0 -d $2 -j ACCEPT
      iptables -t filter -D FORWARD -i eth0 -d $2 -j ACCEPT
    # Delete MASQ rule for permitted host
      echo iptables -t nat -D POSTROUTING -o eth0 -s $2 -m mark --mark 1 -j MASQUERADE
      iptables -t nat -D POSTROUTING -o eth0 -s $2 -m mark --mark 1 -j MASQUERADE
      if [ "$5" ]; then
        iptables -t nat -D PREROUTING -i eth0 -d 64.122.41.37 -p $7 --dport $5 -j DNAT --to-destination $2:$6
        echo iptables -t nat -D PREROUTING -i eth0 -d 64.122.41.37 -p $7 --dport $5 -j DNAT --to-destination $2:$6
      fi
  else
      echo "FATAL: Bad action: $action!"
      exit 1
  fi

E. Restart the services

• /etc/init.d/dhcp restart  
  /etc/init.d/nocatauth-gateway restart