|
|
Sponsored Content
Top Forums
UNIX for Dummies Questions & Answers
LAN traffic rerouting to web server
Post 302182009 by J-Fal on Friday 4th of April 2008 09:40:25 PM
04-04-2008
Thank you for the term era. I'd never heard of a walled garden, but after a search did find out some info about how it could be set up.
What I've decided to do is use DNSmasq to act as a DHCP server on the LAN, then use iptables to do all the routing. I switched the IPs a little bit, but the idea is the same.
Router IP - 192.168.0.254
web server - 192.168.0.253
DHCP IPs - 192.168.0.1 - 192.168.0.8
Rarely connected machine for admin stuff - 192.168.0.171 (I know it's no more secure this way really, just a way to potentially log access)
Subnet - 255.255.255.0
Can you help me out and tell me if I'm going the right direction here?
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.1-192.168.0.8 --dport 80 -j DNAT --to-destination 192.168.0.253:80
iptables -A INPUT -p tcp -s 192.168.0.171 -d 192.168.0.254 --dport 45170 -j ACCEPT
If a wireless client attempts to do anything with TCP, where the destination port is 80 (HTTP) its destination is changed to the web server IP and port, and the packet is routed there. The web server is running on Apache at port 80.
If I use an address outside of the DHCP assigned area ( .171 in this case), and the packet is destined for the router itself at a specific port, the router will allow that packet to go through (still need to know the username and 4096-bit passcode to get in). The firmware on the router allows for wireless clients to be oblivious to each other.
How would I blackhole all packets after this point? I mean, if the packet is anything other than a TCP packet destined for port 80 from a DHCP assigned LAN IP, or from my "special" IP to the router at the special 45170 port for administration, how would I go ahead and just drop that packet at that point? I know there are other things that have to be allowed before packets can just be dropped (ICMP echo requests can be dropped, all IPv6 packets)...
I'm new to iptables and find this a little confusing. I will have to go through the tables already on the router to see how I will need to alter them for what I need.
Thank you for all the help!
What I've decided to do is use DNSmasq to act as a DHCP server on the LAN, then use iptables to do all the routing. I switched the IPs a little bit, but the idea is the same.
Router IP - 192.168.0.254
web server - 192.168.0.253
DHCP IPs - 192.168.0.1 - 192.168.0.8
Rarely connected machine for admin stuff - 192.168.0.171 (I know it's no more secure this way really, just a way to potentially log access)
Subnet - 255.255.255.0
Can you help me out and tell me if I'm going the right direction here?
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.1-192.168.0.8 --dport 80 -j DNAT --to-destination 192.168.0.253:80
iptables -A INPUT -p tcp -s 192.168.0.171 -d 192.168.0.254 --dport 45170 -j ACCEPT
If a wireless client attempts to do anything with TCP, where the destination port is 80 (HTTP) its destination is changed to the web server IP and port, and the packet is routed there. The web server is running on Apache at port 80.
If I use an address outside of the DHCP assigned area ( .171 in this case), and the packet is destined for the router itself at a specific port, the router will allow that packet to go through (still need to know the username and 4096-bit passcode to get in). The firmware on the router allows for wireless clients to be oblivious to each other.
How would I blackhole all packets after this point? I mean, if the packet is anything other than a TCP packet destined for port 80 from a DHCP assigned LAN IP, or from my "special" IP to the router at the special 45170 port for administration, how would I go ahead and just drop that packet at that point? I know there are other things that have to be allowed before packets can just be dropped (ICMP echo requests can be dropped, all IPv6 packets)...
I'm new to iptables and find this a little confusing. I will have to go through the tables already on the router to see how I will need to alter them for what I need.
Thank you for all the help!
|
|
4 More Discussions You Might Find Interesting
1. IP Networking
Ok! I started to do something and I got lost...and crazy! I got MW2000S gateway device that provides wireless internet access! It is configured to work as NAT. Clients connect to MW and have access to internet and it works beautifully! And now! In the same network I have Ubuntu machine. First I... (0 Replies)
Discussion started by: salvor_hardin
0 Replies
2. Web Development
I have installed WAMPSERVER 2.0 on my windows vista x64 system but still am having issues with getting the webserver to be seen outside my local network. It is working fine within my local network.
Been through several setup tutorials so far, no dice still.
For testing purposes I have... (1 Reply)
Discussion started by: davidmanvell
1 Replies
3. IP Networking
Network map:
WAN external interface 192.0.0.0 network
|
WAN internal interface 192.0.3.0 network
|
192.0.3.0 LAN
|
wireless router 192.0.3.1
|
DSL modem 192.0.3.2
The problem I am having is that some traffic from the 192.0.3.0 LAN seems to be "leaking" onto the 192.0.0.0 WAN. I... (0 Replies)
Discussion started by: herot
0 Replies
4. IP Networking
Hi,
I would like to ask some networking solution regarding my work LAN and 3G usb network problem. I want to route my internet traffic to the 3G network and sometimes connect to some of my work network for ssh to configure some workstation or print something. Currently my problem is i can't... (0 Replies)
Discussion started by: jao_madn
0 Replies
LEARN ABOUT FREEBSD
if_gre
GRE(4) BSD Kernel Interfaces Manual GRE(4) NAME
gre -- encapsulating network device SYNOPSIS
To compile the driver into the kernel, place the following line in the kernel configuration file: device gre Alternatively, to load the driver as a module at boot time, place the following line in loader.conf(5): if_gre_load="YES" DESCRIPTION
The gre network interface pseudo device encapsulates datagrams into IP. These encapsulated datagrams are routed to a destination host, where they are decapsulated and further routed to their final destination. The ``tunnel'' appears to the inner datagrams as one hop. gre interfaces are dynamically created and destroyed with the ifconfig(8) create and destroy subcommands. This driver corresponds to RFC 2784. Encapsulated datagrams are prepended an outer datagram and a GRE header. The GRE header specifies the type of the encapsulated datagram and thus allows for tunneling other protocols than IP. GRE mode is also the default tunnel mode on Cisco routers. gre also supports Cisco WCCP protocol, both version 1 and version 2. The gre interfaces support a number of additional parameters to the ifconfig(8): grekey Set the GRE key used for outgoing packets. A value of 0 disables the key option. enable_csum Enables checksum calculation for outgoing packets. enable_seq Enables use of sequence number field in the GRE header for outgoing packets. EXAMPLES
192.168.1.* --- Router A -------tunnel-------- Router B --- 192.168.2.* / / +------ the Internet ------+ Assuming router A has the (external) IP address A and the internal address 192.168.1.1, while router B has external address B and internal address 192.168.2.1, the following commands will configure the tunnel: On router A: ifconfig greN create ifconfig greN inet 192.168.1.1 192.168.2.1 ifconfig greN inet tunnel A B route add -net 192.168.2 -netmask 255.255.255.0 192.168.2.1 On router B: ifconfig greN create ifconfig greN inet 192.168.2.1 192.168.1.1 ifconfig greN inet tunnel B A route add -net 192.168.1 -netmask 255.255.255.0 192.168.1.1 NOTES
The MTU of gre interfaces is set to 1476 by default, to match the value used by Cisco routers. This may not be an optimal value, depending on the link between the two tunnel endpoints. It can be adjusted via ifconfig(8). For correct operation, the gre device needs a route to the decapsulating host that does not run over the tunnel, as this would be a loop. The kernel must be set to forward datagrams by setting the net.inet.ip.forwarding sysctl(8) variable to non-zero. SEE ALSO
gif(4), inet(4), ip(4), me(4), netintro(4), protocols(5), ifconfig(8), sysctl(8) A description of GRE encapsulation can be found in RFC 2784 and RFC 2890. AUTHORS
Andrey V. Elsukov <ae@FreeBSD.org> Heiko W.Rupp <hwr@pilhuhn.de> BUGS
The current implementation uses the key only for outgoing packets. Incoming packets with a different key or without a key will be treated as if they would belong to this interface. The sequence number field also used only for outgoing packets. BSD
November 7, 2014 BSD