Iptables on lan clients

[Midas]

Hi, i'm trying to redirect packets from some ip sources ( kind of transparent proxy)

I tried with http traffic using this ip rule: (both are wireless clients)

iptables -t nat -I PREROUTING -s 192.168.1.207 -p tcp --dport 80 -j DNAT --to 192.168.1.70.

When i set this rule the client can't navigate outside the LAN but if i try with 192.168.1.4 it opens the webpage. But in any cases the 192.168.1.70 running "nc -l -p 80" gets any connection.

if i set a log for this rule i can see that the rule is getting matches.

Any ideas?

Thanks in advance.

 

[Thorgear]

iptables -t nat -I PREROUTING -s 192.168.1.207 -p tcp --dport 80 -j DNAT --to 192.168.1.70.

Don't know if it will help, but this is a rule I use to redirect an ip to an internal web page:
iptables -t nat -I PREROUTING 3 -p tcp -s 10.0.1.101 -j DNAT --to-destination 10.0.3.1:8000

Note that only http (80) traffic will see the web page. Any other traffic, such as https (443), will appear to go nowhere.

In this case, the source ip is on another subnet, but it will work with ips on the same subnet.

When i set this rule the client can't navigate outside the LAN but if i try with 192.168.1.4 it opens the webpage.

You mean when you navigate from 192.168.1.207 to 192.168.1.4? That should always work. Since you're going through the switch, you never hit the packet filtering rules. The rules only get hit when you go "through" the router. For example, navigating from an internal address to an Internet address.

 

[Midas]

Hi Thorgear, thanks for your reply.

Your rule looks like mine, but your redirect is in another subnet. I will try setting the proxy in differents subnets. I've been reading that it can be a problem. I dont really understand why, but i will give it a try.

Your rule doesn't specify any port, isn't all traffic beign redirected to 10.1.0.3.1:8000??

About capturing lan to lan traffic there is no system software performing any task? It's transparent to linux?

Thanks a lot.

 

[Thorgear]

Your rule looks like mine, but your redirect is in another subnet. I will try setting the proxy in differents subnets. I've been reading that it can be a problem. I dont really understand why, but i will give it a try.

No need. It will work as long as the destination is on the Internet. For example, if you are trying to navigate from 192.168.1.207 to 192.168.1.100, then you will go to .100 because you are going from a LAN port to another LAN port on the router. If you go from 192.168.1.207 to 209.86.60.46, then you will be redirected to 192.168.1.70 because you are going from a LAN port to the WAN port. You have to go "through" the router to hit the packet filtering.

Your rule doesn't specify any port, isn't all traffic beign redirected to 10.1.0.3:8000?

That's correct. I use this to completely block a user. I'm running a min-web server on 10.0.1.3:8000. It shows a page that basically says, "pay up!". Traffic on any other port simply gets blocked.

About capturing lan to lan traffic there is no system software performing any task? It's transparent to linux?

That's pretty much correct. All of the LAN ports are treated as a switch. Traffic goes in and out of the switch without actually hitting the routing part of the hardware. I'm not sure if it happens exclusively in the HW.

 

[Midas]

No need. It will work as long as the destination is on the Internet. For example, if you are trying to navigate from 192.168.1.207 to 192.168.1.100, then you will go to .100 because you are going from a LAN port to another LAN port on the router. If you go from 192.168.1.207 to 209.86.60.46, then you will be redirected to 192.168.1.70 because you are going from a LAN port to the WAN port. You have to go "through" the router to hit the packet filtering.
.

Then there shoudl be something else, setting a trace in the rule i can see that is been hit but the connection fails with time out. Navigating to the ip where is the apache server works fine.

Thanks.

 

[Thorgear]

Then there shoudl be something else, setting a trace in the rule i can see that is been hit but the connection fails with time out. Navigating to the ip where is the apache server works fine.

Hmm. I need more info. Can you give me a diagram?

 

[Midas]

Sure,

Lets say this config:

Mobile : 192.168.1.200 wireless
Linux listening to port 8080 using netcat: nc -l -p 8080 - k -v ( 192.168.1.70) wireless
Router ip 192.168.1.1

prerouting rules:
target prot opt source destination
LOG tcp -- 192.168.1.200 0.0.0.0/0 tcp dpt:80 LOG flags 0 level 4 prefix "preroutingnat"
DNAT tcp -- 192.168.1.200 0.0.0.0/0 tcp dpt:80 to:192.168.1.70:8080
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194

If i try to naveigate to internet form mobile the rule should redirect htt to the linux box but is not working, i can see the log of the rule so packets are hitting the rule but i cant see any connection in netcat on 192.168.1.70:8080

Aug 3 12:41:09 kernel: preroutingnatIN=br0 OUT= MAC=xx:xx:xx:xx:xx SRC=192.168.1.200 DST=74.125.206.160 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9936 DF PROTO=TCP SPT=48612 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0

UPDATE:
Setting this rule now works. Can someone explain why?. i'd like to understand it:

iptables -t nat -I POSTROUTING -o br0 -s 192.168.1.200 -d 192.168.1.70 -p tcp -j SNAT --to 192.168.1.1

Thanks