Access control script for Public Library

mark at ehle.homelinux.org mark at ehle.homelinux.org
Fri Apr 1 00:54:05 CEST 2005


John - 

Thanks for your reply - most definately not silly, or off the cuff. I am a
complete iptables nubie, so I will listen to anything. 

Actually, that is a part that I didn't change from the script that I am, well,
borrowing. Might that be the reason that dansguardian hangs when I start it up?
It did seem to me that it was not able to 'listen to itself', so to speak. 

Thanks again!

Mark Ehle
Computer Support Librarian
Willard Public Library 
Battle Creek, Michigan 

Quoting "John A. Sullivan III" <jsullivan at opensourcedevel.com>:
> This may be a silly, off the cuff reply, but, in your rules allowing
> traffic within the gateway, do you want interface lo0 as you have
> written or lo?
> -- 
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan at opensourcedevel.com
> 
> If you would like to participate in the development of an open source
> enterprise class network security management system, please visit
> http://iscs.sourceforge.net
> 
> 

> On Thu, 2005-03-31 at 15:37 -0500, mark at ehle.homelinux.org wrote:
> > Hello - 
> > 
> > I am a complete iptables newbie who is trying to re-write a wireless
> hotspot
> > script that I found on the net to control internet access for our library
> patrons. 
> > 
> > I found the script at: 
> > 
> > http://www.feedface.com/folkert/study/hotspot/src/firewall.sh.txt
> > 
> > I am trying to re-write it so that I can use squid and dansguardian to
> proxy and
> > filter the web. I need it to transparently proxy. I have a system set up
> now
> > that uses squid to grant or deny access, but it can only block web access;
> I my
> > need is for a firewall that can block all network access so that a given
> PC
> > can't chat or play online games as well as surf the net after time has run
> out.
> > 
> > The script, as far as I have gotten, works well. When I fire it up, my test
> PC
> > can't go anywhere except the sign up page (which it is redirected to no
> matter
> > what), and when I add the PC to the access list (by typing firewall.sh add
> <ip>
> > <mac>), that PC is able to surf. 
> > 
> > My problem comes in when I try to do the transparent proxy part. when I try
> to
> > add the rule: 
> > iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports
> 8080
> > 
> > To the script, it does not work, and dansguardian will not even start. I
> have
> > played around with various permutations of this rule, and have gotten
> nowhere. 
> > 
> > Can anybody help? 
> > 
> > Thanks - 
> > 
> > Mark Ehle
> > =======
> > Following is the script (firewall.sh) as far as I have it:
> > 
> > #!/bin/bash
> > 
> >
> ###############################################################################
> > #   name: firewall.sh
> > # author: Mark Ehle
> > #   date: 03-30-05
> > # with much thanks given to Folkert Saathoff at
> http://www.feedface.com/folkert
> >
> ###############################################################################
> > 
> > #===========================
> > # variables
> > #===========================
> > 
> > # command-line arguments
> > COMMAND=$0
> > ACTION=$1
> > IP=$2
> > MAC=$3
> > 
> > # program locations
> > IPTABLES=/sbin/iptables
> > MODPROBE=/sbin/modprobe
> > DEPMOD=/sbin/depmod
> > 
> > # Local Network variables
> > LAN_GW="10.0.0.1"
> > LAN_NET="10.0.0.0/8"
> > LAN_INT="eth1"
> > 
> > # External network variables
> > EXT_INT_IP="<insert external interface ip here>"
> > EXT_INT="eth0"
> > 
> > #Name Server IP
> > NS="insert Name server ip here"
> > 
> > #===========================
> > # subroutines
> > #===========================
> > load_modules() {
> >     $DEPMOD -a
> >     for module in "ip_conntrack ip_tables iptable_filter iptable_mangle
> > iptable_nat ipt_LOG ipt_limit ipt_MASQUERADE"; do
> >         $MODPROBE $module 
> >     done
> >     return
> > }
> > 
> > start_ip_forwarding() {
> >     echo 1 > /proc/sys/net/ipv4/ip_forward
> >     return
> > }
> > 
> > show_usage()
> > {
> >     echo "usage:"
> >     echo "$COMMAND reset"
> >     echo "$COMMAND add IP MAC"
> >     echo "$COMMAND del IP MAC"
> >     exit 1;
> > }
> > 
> > fferror()
> > {
> >     echo "^_^'"
> >     echo "error setting netfilter: $ACTION"
> >     exit 1
> > }
> > 
> > flush_tables() {
> >     for TABLE in filter nat mangle; do
> >         for SWITCH in F X Z; do
> >             $IPTABLES -t $TABLE -$SWITCH
> >         done
> >     done
> >     return
> > }
> > 
> > create_new_chains() {
> >     #filter chain for accepting authenticated clients 
> >     $IPTABLES -t filter -N fclient
> >     #filter chain for not rerouting authenticated clients 
> >     $IPTABLES -t nat -N dclient
> >     #filter chain for routing from authenticated clients 
> >     $IPTABLES -t nat -N sclient
> >     
> >     #default filter policy is DROP
> >     $IPTABLES -t filter -P INPUT DROP
> >     $IPTABLES -t filter -P OUTPUT DROP
> >     $IPTABLES -t filter -P FORWARD DROP
> > 
> >     return
> > }
> > 
> > reset_firewall() {
> > 
> >     load_modules
> >     start_ip_forwarding
> >     flush_tables
> >     create_new_chains
> > 
> >     #allow all local traffic
> >     $IPTABLES -t filter -A  INPUT -i lo0 -j ACCEPT
> >     $IPTABLES -t filter -A OUTPUT -o lo0 -j ACCEPT
> > 
> >     #allow all icmp traffic self<->lan
> >     $IPTABLES -t filter -A  INPUT -i $LAN_INT -s $LAN_NET -d $LAN_GW -p
> icmp -j
> > ACCEPT
> >     $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p
> icmp -j
> > ACCEPT
> > 
> >     #allow all icmp traffic self<->inet
> >     $IPTABLES -t filter -A  INPUT -i $EXT_INT -d $EXT_INT_IP -p icmp -j
> ACCEPT
> >     $IPTABLES -t filter -A OUTPUT -o $EXT_INT -s $EXT_INT_IP -p icmp -j
> ACCEPT
> > 
> >     #allow dhcp traffic self<->lan
> >     $IPTABLES -t filter -A  INPUT -i $LAN_INT -s 0.0.0.0/0 -d
> 255.255.255.255 -p
> > udp --dport 67:68 -j ACCEPT 
> >     $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p
> udp
> > --sport 67:68 -j ACCEPT
> > 
> >     #allow all web traffic self<->lan
> >     for PORT in 80 443; do
> >         $IPTABLES -t filter -A  INPUT -i $LAN_INT -s $LAN_NET -d $LAN_GW -p
> tcp
> > --dport $PORT -j ACCEPT
> >         $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p
> tcp
> > --sport $PORT -j ACCEPT
> >     done
> > 
> >     #allow all ssh and smb traffic to/from self
> >     for PORT in 22 139; do
> >         $IPTABLES -t filter -A  INPUT -p tcp --dport $PORT -j ACCEPT
> >         $IPTABLES -t filter -A OUTPUT -p tcp --sport $PORT -j ACCEPT
> >     done
> > 
> >     # allow dns
> >     $IPTABLES -t filter -A OUTPUT  -o $EXT_INT -s $EXT_INT_IP -d $NS -p
> udp
> > --dport 53 -j ACCEPT
> >     $IPTABLES -t filter -A  INPUT  -i $EXT_INT -s $NS -d $EXT_INT_IP -p
> udp
> > --sport 53 -j ACCEPT
> >     $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -d
> $NS -p
> > udp --dport 53 -j ACCEPT 
> >     $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -s $NS -d
> $LAN_NET -p
> > udp --sport 53 -j ACCEPT 
> > 
> >     #enable source network address translation for dns
> >     $IPTABLES -t nat -A POSTROUTING  -s $LAN_NET -p udp --dport 53 -d $NS
> -o
> > $EXT_INT -j SNAT --to $EXT_INT_IP
> > 
> >     #check for allowed clients -> inet
> >     $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -j
> fclient
> >     #reject all other clients
> >     $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -j
> REJECT
> > --reject-with icmp-net-prohibited
> > 
> >     #allow established connections lan<->inet
> >     $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -d $LAN_NET -m
> state
> > --state ESTABLISHED -j ACCEPT
> > 
> >     #snat traffic from authenticated clients
> >     $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -d ! $LAN_NET -j sclient   
> 
> > 
> >     #do not dnat traffic from authenticated clients
> >     $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -j dclient
> > 
> >     #enable dnat to self for all web traffic
> >     for PORT in 80 443; do
> >         $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -p tcp
> --dport
> > $PORT -j DNAT --to $LAN_GW
> >     done
> > 
> >     #add default REJECT rule (just more polite than DROP)
> >     for CHAIN in INPUT OUTPUT FORWARD; do
> >         $IPTABLES -t filter -A $CHAIN -j REJECT;
> >     done
> >     return
> > 
> > }
> > 
> > add_usage() {
> >     echo "usage:"
> >     echo "$COMMAND add IP MAC"
> >     exit 1;
> > }
> > 
> > run_add() {
> >     [ "ff"$IP != "ff" ] || show_addclient_usage; [ "ff"$MAC != "ff" ] ||
> add_usage
> >     #add client
> >     
> >     $IPTABLES -t filter -A fclient -s $IP -m mac --mac-source $MAC -j
> ACCEPT   
> >         || fferror $?
> >     $IPTABLES -t nat    -A dclient -s $IP -m mac --mac-source $MAC -j
> ACCEPT   
> >         || fferror $?
> >     $IPTABLES -t nat    -A sclient -s $IP -d ! $LAN_NET -j SNAT --to
> $EXT_INT_IP
> >        || fferror $?
> >     echo "added Client: IP $IP MAC $MAC";
> >     return
> > }
> > 
> > del_usage() {
> >     echo "usage:"
> >     echo "$COMMAND del IP MAC"
> >     exit 1;
> > }
> > 
> > run_del() {
> >     [ "ff"$IP != "ff" ] || show_delClient_usage; [ "ff"$MAC != "ff" ] ||
> del_usage
> >     #delete client
> >     $IPTABLES -t filter -D fclient -s $IP -m mac --mac-source $MAC -j
> ACCEPT ||
> > fferror $?
> >     $IPTABLES -t nat -D dclient -s $IP -m mac --mac-source $MAC -j ACCEPT
> ||
> > fferror $?
> >     $IPTABLES -t nat -D sclient -s $IP -d ! $LAN_NET -j SNAT --to
> $EXT_INT_IP ||
> > fferror $?
> >     echo "removed Client: IP $IP MAC $MAC";
> >     return
> > }
> > 
> > #===========================
> > # Main 
> > #=========================== 
> > 
> > case "$ACTION" in
> >     reset ) reset_firewall;;
> >     add   ) run_add;;
> >     del   ) run_del;;
> >     *     ) show_usage;;
> > esac
> > 
> > exit
> > 




More information about the netfilter mailing list