Email lists > Netfilter iptables discussion and user questions

Thread:

Search this list only Search all lists

United States	2007-04-28 10:03:40
(This may be a duplicate message, KW) Thank you for the replies Alex and Jan. I set up a test system with two PC's. PC one has Apache httpd running on it with iptables flushed, defaults set to accept all packets and is at 192.168.21.1 . PC two is simply a workstation at 192.168.21.10 . I can get my default webpage by pointing the workstation's browser to 192.168.21.1 . I invoked "iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT" on the http host. At this point I was expecting to point the workstation's browser to 192.168.21.2 and get the default webpage, but this returned "Unable to Connect". It seems from the description of REDIRECT ( http://www.faqs.org/docs/iptables/targets.html#REDI RECTTARGET ) that, when the packet hits the PREROUTING table, it immediately gets sent to localhost and presumably httpd. I am guessing here, but since httpd is an application, the tcp/ip stuff gets stripped off (but the port number stays?), so the fault must be in how Apache is set up? I am thinking, did Apache receive the packet (maybe check the appropriate log file?). Did Apache have a problem interpreting the packet it received (check logs)? Or, may this be a situation where the server can't figure out where to send a reply? Thank you for any replies. Kirk ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Re:
Germany	2007-04-28 12:45:41
Kirk Wallace schrieb: > (This may be a duplicate message, KW) > > Thank you for the replies Alex and Jan. > > I set up a test system with two PC's. PC one has Apache httpd running on > it with iptables flushed, defaults set to accept all packets and is at > 192.168.21.1 . PC two is simply a workstation at 192.168.21.10 . I can > get my default webpage by pointing the workstation's browser to > 192.168.21.1 . I invoked "iptables -t nat -A PREROUTING -p TCP --dport > 80 -j REDIRECT" on the http host. At this point I was expecting to point > the workstation's browser to 192.168.21.2 and get the default webpage, > but this returned "Unable to Connect". > Hi, I don't really understand what you are trying. When your browser connects to 192.168.21.2 and there is no webserver running it will not be able to connect logically. Do you want to redirect traffic destined to 192.168.21.1 to 192.168.21.2 then -j DNAT --to-destination 192.168.21.2 is your friend not -j REDIRECT. This will redirect all traffic to the local machine.

Wireless Login Page
United States	2007-04-28 13:43:27
On Sat, 2007-04-28 at 19:45 +0200, Daniel Lopes wrote: > Kirk Wallace schrieb: > > (This may be a duplicate message, KW) > > > > Thank you for the replies Alex and Jan. > > > > I set up a test system with two PC's. PC one has Apache httpd running on > > it with iptables flushed, defaults set to accept all packets and is at > > 192.168.21.1 . PC two is simply a workstation at 192.168.21.10 . I can > > get my default webpage by pointing the workstation's browser to > > 192.168.21.1 . I invoked "iptables -t nat -A PREROUTING -p TCP --dport > > 80 -j REDIRECT" on the http host. At this point I was expecting to point > > the workstation's browser to 192.168.21.2 and get the default webpage, > > but this returned "Unable to Connect". > > > > Hi, > > I don't really understand what you are trying. When your browser > connects to 192.168.21.2 and there is no webserver running it will not > be able to connect logically. Do you want to redirect traffic destined > to 192.168.21.1 to 192.168.21.2 then -j DNAT --to-destination > 192.168.21.2 is your friend not -j REDIRECT. This will redirect all > traffic to the local machine. On Sat, 2007-04-28 at 18:32 +0100, Alex wrote: > TBH this site can explain -j REDIRECT better than I could. > http://security.maruhn.com/iptables-tutorial/x10065.html > > Is the machine thats doing the NATing the same as the one with the httpd? > This has to be the case for redirect to work as you require it. Other wise, > maybe you could use squid to proxy? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~ I was using 192.168.21.2 just to test whether httpd would respond to any IP address sent on the 192.168.21.0/24 address space. I envision that a person would boot their wireless laptop and scan for hotspots. They would see my hotspot and connect. Then my DHCP server would give the laptop an IP address, subnet mask, gateway address, DNS1 and DNS2. Then the user would start firefox and try to open a link to anywhere.com, but I have FORWARD denied to all but logged in users (which have a tunnel IP address on another subnet). At this point, I want the anywhere.com request to invoke the httpd on the wireless router to reply with a login page. Currently dhcpd, httpd, radiusd and pptpd are on the same PC. I was looking at Chillispot to do this but it doesn't have some of the features I want, and I could not find documentation that would allow me to figure out how it works. I want an application that does just what it needs to do, that I can understand and modify as my needs change. I have used REDIRECT to allow a pcAnywhere connection to an internal PC from the Internet, and I still get a kick that it works, but I was able to get it to work without fully understanding how it works. (Does that make me a script kiddie?) Basic List question: I am used to reading a message from a list, then clicking the reply button, typing a reply and clicking send, which sends the reply back to the list. It seems here, that I need to cut and paste the message history and reply to a new message addressed to the list address. Is this the proper way to use this list? Kirk

Re: Wireless Login Page
	2007-05-02 12:18:59
Hello Kirk and *, Am 2007-04-28 11:43:27, schrieb Kirk Wallace: > I was using 192.168.21.2 just to test whether httpd would respond to any > IP address sent on the 192.168.21.0/24 address space. > > I envision that a person would boot their wireless laptop and scan for > hotspots. They would see my hotspot and connect. Then my DHCP server > would give the laptop an IP address, subnet mask, gateway address, DNS1 > and DNS2. Then the user would start firefox and try to open a link to > anywhere.com, but I have FORWARD denied to all but logged in users > (which have a tunnel IP address on another subnet). At this point, I > want the anywhere.com request to invoke the httpd on the wireless router > to reply with a login page. Currently dhcpd, httpd, radiusd and pptpd > are on the same PC. This is exactly what I want to do to. But if the $CLIENT has gotten its DHCP-IP-Addressm then ANY connections (any Ports except DNS and DHCP) nust be blocked until the user has once started a Webbrowser and authentificated. I was thinking, that if the $USER open a connection plus auth, the connection will be droped for example 5 minutes after the last traffic going over the Interface with the specified MAC/IP. I have not found any examples ho to do this. Would you like to share your config? And speciay how you have setup your "fist-connect" page to auth? Greetings Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ ##################### Debian GNU/Linux Consultant ##################### Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSN LinuxMichi 0033/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)

[1-4]

about | contact Other archives ( Real Estate discussion Medical topics )