DNAT Routing Problem

[Thorgear]

I'm trying to redirect all traffic from a specific computer to a specific external web site. I'm using Merlin 380.57 on a gateway. When I use this rule:

iptables -t nat -A PREROUTING -m mac --mac-source xx:xx:xx:xx:xx:xx -j DNAT --to-destination 280.67.222.222

I get the error message:

Bad IP address `280.67.222.222'

It works just fine with an internal IP destination. Any idea what I'm doing wrong?

 

[RMerlin]

I'm trying to redirect all traffic from a specific computer to a specific external web site. I'm using Merlin 380.57 on a gateway. When I use this rule:

iptables -t nat -A PREROUTING -m mac --mac-source xx:xx:xx:xx:xx:xx -j DNAT --to-destination 280.67.222.222

I get the error message:

Bad IP address `280.67.222.222'

It works just fine with an internal IP destination. Any idea what I'm doing wrong?

Unless you are using IPv5 or some other non-existing addressing scheme, then "280" is not a valid value . Valid quad values are between 0 and 255.

 

[Thorgear]

Unless you are using IPv5 or some other non-existing addressing scheme, then "280" is not a valid value . Valid quad values are between 0 and 255.

Ugh, obvious mistake. It works fine with another external address. Thanks.

FYI, I got the 280 address from Merlin. I used DNS Filtering to forward the MAC to OpenDNS Home. Iptables showed new entires in PREROUTING and DNSFILTER that pointed to the 280 address.

 

[RMerlin]

FYI, I got the 280 address from Merlin. I used DNS Filtering to forward the MAC to OpenDNS Home. Iptables showed new entires in PREROUTING and DNSFILTER that pointed to the 280 address.

Look again - OpenDNS's IP starts with 208, not 280. It's impossible to use a number higher than 255...

        static char *server_table[13][2] = {
                {"", ""},                               /* 0: Unfiltered (handled separately below) */
                {"208.67.222.222", ""}, /* 1: OpenDNS */
                {"199.85.126.10", ""},  /* 2: Norton Connect Safe A (Security) */
                {"199.85.126.20", ""},  /* 3: Norton Connect Safe B (Security + Adult) */
                {"199.85.126.30", ""},  /* 4: Norton Connect Safe C (Sec. + Adult + Violence */
                {"77.88.8.88", ""},             /* 5: Secure Mode safe.dns.yandex.ru */
                {"77.88.8.7", ""},              /* 6: Family Mode family.dns.yandex.ru */
                {"208.67.222.123", ""}, /* 7: OpenDNS Family Shield */
                {"", ""},                               /* 8: Custom1 */
                {"", ""},                               /* 9: Custom2 */
                {"", ""},                               /* 10: Custom3 */
                {"", ""},                               /* 11: Router */
                {"8.26.56.26", ""}              /* 12: Comodo Secure DNS */
        };

 

[Thorgear]

Look again - OpenDNS's IP starts with 208, not 280. It's impossible to use a number higher than 255...

Yep, I know it's a 1 byte value, and I CAN'T believe I didn't notice that! I must be losing it. Thanks again.

 

[Thorgear]

I just thought of something. NAT is disabled on this router. Why does this rule work?

 

[RMerlin]

I just thought of something. NAT is disabled on this router. Why does this rule work?

Disabling NAT does not disable manually added rules, it merely tells the router not to add any rule to masquerade every connections.

NAT in itself is just a few iptables rules, it's not an actual feature that can be enabled or disabled.

 

[Thorgear]

NAT in itself is just a few iptables rules, it's not an actual feature that can be enabled or disabled.

Ah. That makes sense. Thank you very much.

 

[Thorgear]

I could have sworn the same rule worked for internal addresses, but apparently not. I'm using,

iptables -t nat -A PREROUTING -m mac --mac-source xx:xx:xx:xx:xx:xx -j DNAT --to-destination 10.0.1.6

The packet never hits the rule. It looks to me like a packet has to pass through nat/prerouting in either level 2 or level 3. I don't see another way through. Am I wrong?

 

[RMerlin]

I could have sworn the same rule worked for internal addresses, but apparently not. I'm using,

iptables -t nat -A PREROUTING -m mac --mac-source xx:xx:xx:xx:xx:xx -j DNAT --to-destination 10.0.1.6

The packet never hits the rule. It looks to me like a packet has to pass through nat/prerouting in either level 2 or level 3. I don't see another way through. Am I wrong?

If you redirect everything from that MAC, that means not just web traffic, but EVERYTHING, including DNS lookups. I don't think that's the intended goal...

mac-based rules certainly work in the nat table. That's how DNSFilter is implemented. However you'll also need NAT to handle other traffic (you said previously you had NAT disabled on the router).

 

[Thorgear]

If you redirect everything from that MAC, that means not just web traffic, but EVERYTHING, including DNS lookups. I don't think that's the intended goal...

mac-based rules certainly work in the nat table. That's how DNSFilter is implemented. However you'll also need NAT to handle other traffic (you said previously you had NAT disabled on the router).

I think that is what I'm looking for. When someone is blocked, they current get redirected to the login page of the router. I need to give a message to the blocked user. I modified the background image, but it's not really what I'm looking for.

I'm trying to redirect users to an internal web page that gives them a specific message.

Regarding the rule, I'm also logging it and it doesn't look like the rule is getting hit. However, the client DOES get to the Internet.

iptables -t nat -A PREROUTING -m mac --mac-source 74A:38:5E:AD:29 -j LOG --log-prefix "MACROUTE "

 

[RMerlin]

I think that is what I'm looking for. When someone is blocked, they current get redirected to the login page of the router. I need to give a message to the blocked user. I modified the background image, but it's not really what I'm looking for.

Then you need to only redirect web requests, unless that target server also runs a DNS server. That's what Asus does: they redirect tcp:80 and udp:53.

Regarding the rule, I'm also logging it and it doesn't look like the rule is getting hit.

Try moving it higher in the chain.

 

[sinshiva]

Then you need to only redirect web requests, unless that target server also runs a DNS server. That's what Asus does: they redirect tcp:80 and udp:53.



Try moving it higher in the chain.

it sounds like he may need a POSTROUTING rule for snat/masq, too, if he disabled NAT

 

[Thorgear]

it sounds like he may need a POSTROUTING rule for snat/masq, too, if he disabled NAT

Not sure about this. I'll check it out if I don't get anywhere with my current approach.

Then you need to only redirect web requests, unless that target server also runs a DNS server. That's what Asus does: they redirect tcp:80 and udp:53.

I see where they redirect tcp:80, but not udp:53. In any case, I'm trying the ASUS approach (Parental Controls). I think I'm doing what they are, and it works. However, when I switch from 10.0.1.1:18099 to 10.0.1.6:80, I only get blocking. I don't get the redirect. Also, I don't understand why they're dropping packets in the FORWARD chain. I did try it without the FORWARD and it still didn't work.

iptables -I FORWARD 3 -m mac --mac-source C0:FF:A4:BE:2C:89 -j DROP
iptables -t nat -I PREROUTING 2 -m mac --mac-source C0:FF:A4:BE:2C:89 -j PCREDIRECT
iptables -t nat -I PCREDIRECT 1 -p tcp -d ! 10.0.1.0/24 --dport 80 -m mac --mac-source C0:FF:A4:BE:2C:89 -j DNAT --to-destination 10.0.1.6:80

 

[RMerlin]

I see where they redirect tcp:80, but not udp:53.

They only redirect udp53 on WAN down, when you have the "web redirect" option enabled. For parental control and such there's no need to redirect 53, as name resolution is still working. However in your scenario, if you also redirect udp53 to an IP that does not run a DNS server, then no name resolution at all will work. It will also break LAN resolution.

I've never looked at how their PControl is implemented.

 

[Thorgear]

Got it. I'll try more logging. If I can't come up with a new idea, I'll go back to my first approach. Thanks for your help.

 

[Thorgear]

I'm going to avoid all of this by hosting the warning page on the router. Thanks for your help.

 

[Thorgear]

I'm only putting up one page. I need something simple, but I can't find anything smaller than lighttpd. There's that /www/user thing, but I can't find any doc or references in httpd.c. Can you point me to a relatively simple solution?

 

[RMerlin]

I'm only putting up one page. I need something simple, but I can't find anything smaller than lighttpd. There's that /www/user thing, but I can't find any doc or references in httpd.c. Can you point me to a relatively simple solution?

I haven't played with a third party httpd on the router in years, but back then, I had good results with nginx. You'll want something that will allow you to listen to a different local port, and possibly with URL rewriting capabilities so that any URL gets redirected to the root of your "captive portal" page. That means you cannot use the router's httpd either, as you'd need to be able to rewrite an URL to point it to that user page - something you can't do with iptables.

In any case, do not use the router's lighttpd, as it's customized specifically for AiCloud.

 

[Thorgear]

It looks perfect. Much thanks.