[NoCat] iptables and redirection problem!
Babak Schiffer
babakred at hotmail.com
Thu Jun 22 16:05:45 PDT 2006
Hi,
I´m running NoCat-GW( NoCatAuth-0.82) on linux(2.6) and first I want to test
my GW with auth.nocat.net
but I have a trouble with redirection.I get no LoginPage at all.
It seems Nocat-GW works "fine" .Here is the nocat log:
[2006-06-22 13:13:13] Gateway running on port 5280.
[2006-06-22 13:18:23] Gathering stats from firewall with cmd='stats.fw '.
And here the Gateway config(all other important atts are commented):
GatewayMode Passive
LoginTimeout 600
TrustedGroups Any
AuthServiceAddr auth.nocat.net
AuthServiceURL https://$AuthServiceAddr/cgi-bin/login
LogoutURL https://$AuthServiceAddr/logout.html
ExternalDevice eth0
InternalDevice eth1
AccountingMethod None
AccountingUpdateInterval 300
DHCP and DNS server on the GW run also fine.Client get an IP and I can even
see mouse.nocat.net in my Client-Browser but for
other urls there is no redirection.I see in Ethereal that the Client tries
to establish a TCP connection to the requested
URL but thats all.
I think thats an iptables issue.But I dont know what exact since I´m not
familiar with iptables .
Here is my iptables config:(192.168.112.0/27 is my Internal Subnet)
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options
prefix`SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-FWD-ILL-ROUTING '
NoCat all -- anywhere anywhere
Chain NoCat (1 references)
target prot opt source destination
NoCat_Ports all -- anywhere anywhere
NoCat_Inbound all -- anywhere anywhere
ACCEPT all -- 192.168.112.0/27 anywhere MARK match 0x1
ACCEPT all -- 192.168.112.0/27 anywhere MARK match 0x2
ACCEPT tcp -- 192.168.112.0/27 mouse.nocat.net tcp dpt:http
ACCEPT tcp -- mouse.nocat.net 192.168.112.0/27 tcp spt:http
ACCEPT tcp -- 192.168.112.0/27 mouse.nocat.net tcp dpt:https
ACCEPT tcp -- mouse.nocat.net 192.168.112.0/27 tcp spt:https
ACCEPT all -- DNSServer 192.168.112.0/27
ACCEPT tcp -- 192.168.112.0/27 DNSServer tcp dpt:domain
ACCEPT udp -- 192.168.112.0/27 DNSServer udp dpt:domain
DROP tcp -- !mouse.nocat.net anywhere tcp dpt:5280
DROP all -- anywhere anywhere
Chain NoCat_Inbound (1 references)
target prot opt source destination
Chain NoCat_Ports (1 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:smtp
MARK match 0x3
DROP udp -- anywhere anywhere udp dpt:smtp
MARK match 0x3
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-OUT-ERROR '
Chain forward_ext (0 references)
target prot opt source destination
Chain input_ext (3 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere PKTTYPE =
broadcast udp dpt:bootps
DROP all -- anywhere anywhere PKTTYPE =
broadcast
ACCEPT icmp -- anywhere anywhere icmp
source-quench
ACCEPT icmp -- anywhere anywhere icmp
echo-request
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp redirect
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:domain flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:domain
reject_func tcp -- anywhere anywhere tcp dpt:ident
state NEW
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options
ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-INext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-INext-DROP-DEFLT '
LOG all -- anywhere anywhere limit: avg
3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix
`SFW2-INext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere
Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-proto-unreachable
I would appreciate any help.Please!!
BABAK
More information about the NoCat
mailing list