Captive DNS REDIRECT problems. Need a stateless/fast timeout udp connection.

Dave Cinege dcinege-mlists-dated-1112942287.e58b6f at psychosis.com
Sun Apr 3 08:38:03 CEST 2005


I working on a dynamic rules firewall that has the ability to do captive 
portal redirection for login purposes. Right now I've got a problem dealing 
with DNS redirection (udp connection timeout) I'm not sure how to best 
handle.

There are 2 DNS forwarders. One for authorized hosts on port 53 and one for 
unauthorized hosts on 5353. The latter feeds hosts dummy DNS replies in order 
to allow browser redirection back to the portal. 

My default rules look like this:
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 5353
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 5353
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 80
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 443

When a host is authorized a rule for such host is inserted before these rules, 
thus diverting them from the redirection.

Here in lies the problem. When an unauthorized host first hits port 53 and is 
redirected to 5353 a udp connection track stream is tacked up. Once they 
become authorized their 'ACCEPT' rule in inserted, however the original 
53->5353 REDIRECT stream is still alive, and will continued to be used until 
it times out. During this time the host is dead in the water with no 'real' 
DNS.

It looks like dropping the ip_conntrack_udp_timeout down to 1 second, 
effectively solves this. But that is not ideal for all other udp connections. 
It doesn't appear I have a way set a per connection rule timeout, or force a 
rule to be stateless, so I'm wondering the best way to solve this. 

Dave




More information about the netfilter mailing list