02:30 pm - Low-level routing techy blatherings ahead...
Been working on making a 'transparent' router, with a few nice features to help 'immunize' a network against the 'bandwidth-limited' virus attacks.
On looking into iptables in more depth, figured out a basic construction for a MAC-address-based NATing system that is extensible, and allows for a fairly transparent layer of 'one time login' security.
I'll cut to the chase with some of the iptables code, then explain a little what I'm doing with it.iptables -t nat -N loggedin
&& # Chain to hold the 'accepted' usersiptables -t nat -N unknowns
&& # Chain to hold the 'unknown' usersiptables -t nat -N gooduser
&& # Chain to hold the 'per-user' stuffiptables -t nat -A PREROUTING -j loggedin
&& # Check the loggedin chain firstiptables -t nat -A PREROUTING -j unknowns
&& # Now do the 'default' actions
First off, why make two seperate chains? Simple. You can only (easilly) add rules to the end of a chain. Making a seperate chain just for valid users and placing it at the 'head' of the overall filtering makes it easier to add new users at a higher priority, leaving the 'unknown' rules as the default coverage instead, so we can simply filter out the allowed stuff and leave the garbage behind. Second, instead of duplicating multi-part rules, we have a re-used chain to hold the processing we do for an individual user.
Most filtering setups I've seen try to filter out the garbage and only leave the good stuff. Sometimes it's easier to make a mess and leave a heap of trash on the floor, like here.iptables -t nat -A unknowns -p tcp --destination-port 80 -J REDIRECT --to-ports 8080
&& # We're running a local web server, to handle logins and so-forthiptables -t nat -A unknowns -p tcp -j REJECT --reject-type tcp-reset
&& # Fast-close any traffic outside of web-accessiptables -t nat -A unknowns -j REJECT
&& # Reject other traffic normally
Now, the above will capture all web traffic, forcing it to the local box on port 8080. Any other TCP/IP traffic is closed rather harshly, other forms of /IP traffic are simply rejected out of hand. Until you log on, you're not allowed to go anywhere or do anything.iptables -t nat -A loggedin -m mac --mac-source XX:XX:XX:XX:XX:XX -j gooduser
&& # Logging in is locked to an individual ethernet MAC address
This is just an example entry. It shows how you add a user to the 'accepted' list. The 'accepted' list processes the 'gooduser' chain for each packet by an accepted user, so all the actual processing rules go in there. A similair technique can be used to add 'bad user' settings, for instance if you end up with a bandwidth hog or similair.
This is just part 1, and this is yet another item I'm going to multi-part as I can sit down and write it out. I'll also convert the final version into a HOWTO and see if I can't get it added to the iptables docs page if I can find some translators.1 comment