Documentation - HOWTO.en

From HostName.Org

This is a very simple howto , In this example we will configure a network using NatACL
  • Network Configuration:
    • Internet WAN ADRESS: 201.0.0.1 on eth0
    • LAN on eth1


Contents

Interfaces

- First we need to create the interfaces aliases, ( one for each group ). -- groups: servers, administrators, developers, wireless, unknown.

 # ifconfig eth1:1 192.168.1.1 netmask 255.255.255.0
# ifconfig eth1:2 192.168.2.1 netmask 255.255.255.0
# ifconfig eth1:3 192.168.3.1 netmask 255.255.255.0
# ifconfig eth1:5 192.168.200.1 netmask 255.255.255.0


Put this in your linux network configuration file.

Groups creation

Now we need to associate this interfaces to NatACL's groups.


 # /usr/bin/NatACL_config group add servers eth1:1 192.168.1.2 192.168.1.2 mydomain.org
# /usr/bin/NatACL_config group add administrators eth1:2 192.168.1.2 192.168.1.2 mydomain.org
# /usr/bin/NatACL_config group add developers eth1:3 192.168.1.2 192.168.1.2 mydomain.org
# /usr/bin/NatACL_config group add unknown eth1:4 192.168.1.2 192.168.1.2 mydomain.org


Obs: 192.168.1.2 is my DNS and WINS servers ( if you dont have a wins servers, use 0.0.0.0 )
Pay attention on this last command, the group 'unknown' is the default NatACL group, it is required.
******************** ( You MUST HAVE a group called 'unknown' ) **********************

Group association

Now all new machines that REQUEST a new IP address from dhcp, will be added automaticly to NatACL database ( To the group 'unknown' ). you can check them using this command:


 # /usr/bin/NatACL_config client list


It will show something like that:


00:d0:09:c1:42:7c 04 192.168.200.2 192.168.200.2 0x00d009c1427c
00:10:60:5b:f9:ef 04 192.168.200.20 192.168.200.20 0x0010605bf9ef
00:12:f0:1f:79:8c 04 192.168.200.13 192.168.200.13 0x0012f01f798c



All new machines will go to the default group, the 'unknown' group. But in my configuration, the unknown group does not have any special policies.
You may wish to re-allocate the machines to the corret group.
Ex.
# /usr/bin/NatACL_config client group 00:d0:09:c1:42:7c servers
# /usr/bin/NatACL_config client group 00:10:60:5b:f9:ef administrators
# /usr/bin/NatACL_config client group 00:d0:09:c1:42:7c developers

Iptables

Before starting the dhcp server, you must change you firewall script.
You must remove all policies from your workstations ( SNAT/ DNAT/ Proxys/ Redirects and FORWARDS )
You also must set the default FORWARD policy to DROP.


            # iptables -P FORWARD DROP ( put this in the beggining of your script ).

*** Verify that you dont have any FORWARD rules that affects your workstations. NatACL will create them for you.

Start the dhcp server

Now i can start the dhcp server, running:
# NatACL_dhcp


Policies between groups

Your workstations now can get IP address, but that is almost all they can do. If you have remove the FORWARD/SNAT/DNAT/REDIRECT rules from you firewall script , all groups should be isolated from each other. ( machines on administrators cannot talk to machines on developers ).
We will add some policies to allow them to see each other.
* Group Administrators must see all groups


# /usr/bin/NatACL_config group policy_add administrators group servers
# /usr/bin/NatACL_config group policy_add administrators group developers


* Group Developers must see only the group servers


# /usr/bin/NatACL_config group policy_add developers group servers


This policy works in bi-directional way, in the above example, group developers can talk to servers AND servers can talk to developers


Internet policies

Now we have a working intranet, but workstations dont have internet access yet. To allow them to use it, we must add some group policies.
In this example, i have a proxy running on server 192.168.1.2, i want to make it transparent. I Also want the workstations from the group servers and administrators to access others protocols besides http, using NAT.
Group developers should only access to http.
* Adding the transparent proxy


# /usr/bin/NatACL_config group policy_add administrators dnat 192.168.1.2 3128
# /usr/bin/NatACL_config group policy_add servers dnat 192.168.1.2 3128
# /usr/bin/NatACL_config group policy_add developers dnat 192.168.1.2 3128


* Adding source nat


# /usr/bin/NatACL_config group policy_add administrators snat 201.0.0.1
# /usr/bin/NatACL_config group policy_add servers snat 201.0.0.1


Ok not we have a fully functional intranet and internet access.

WebAuthenticator

If for some reason you want the group unknown to have web authentication: ( Optional )
Again it its a group policy, in this case for the group unknown.


 # /usr/bin/NatACL_config group policy_add unknown natacl 1 EXPIRE_POPUP auth_unix.so
# /usr/bin/NatACL_config group policy_add unknown dnat 192.168.1.2 3128
# /usr/bin/NatACL_config group policy_add unknown snat 201.0.0.1


Start the NatACL_web athenticator


# /usr/bin/NatACL_web


When users authenticate itself on NatACL_web, ( trying to access any URL ), NatACL will create the others policy_rules ( in this case the dnat and snat acls' )

Scripts

Block orkut

If you want to execute a script everytime a machines REQUEST the IP address from dhcp. ( minimun interval should be 5 minutes ). Use this options to execute some iptables rules. this example is to BLOCK the site www.orkut.com in worktime. ( 9:00-12:00 and 14:00-18:00 ) ( I need to to this, becase this site uses SSL ( https ), and there is no way to do this on transparent proxy ( using squid ) )
The Script:


Filename /usr/bin/NatACL_orkut_policy.sh


#!/bin/sh


time=`date +1%H%M%S`
if ( [ $time -ge 1180000 ] && [ $time -le 1240000 ] ) || \
( [ $time -ge 1000000 ] && [ $time -le 1090000 ] ) || \
( [ $time -ge 1120000 ] && [ $time -le 1140000 ] )
then
iptables -D NatACL_fwd_${2} -p tcp --dport 443 -s $1 -d 216.239.51.85 -j DROP
iptables -D NatACL_fwd_${2} -p tcp --dport 443 -s $1 -d 216.239.51.88 -j DROP
else
iptables -D NatACL_fwd_${2} -p tcp --dport 443 -s $1 -d 216.239.51.85 -j DROP
iptables -D NatACL_fwd_${2} -p tcp --dport 443 -s $1 -d 216.239.51.86 -j DROP
iptables -I NatACL_fwd_${2} -p tcp --dport 443 -s $1 -d 216.239.51.86 -j DROP
iptables -I NatACL_fwd_${2} -p tcp --dport 443 -s $1 -d 216.239.51.85 -j DROP
fi


And i need to configure the group policy :
# /usr/bin/NatACL_config group policy_add developers exec 0 '/usr/bin/NatACL_orkut_policy.sh'
If you read the above script you should be asking why it deletes the iptables rule and create it again. The Option "Only Once" is flaged as 0 ( off ), so it will execute the same script everytime the machines talk to the dhcp. ( using minimun interval of 5 minutes ), so if you dont remove the rule, NatACL will keep adding thousands of duplicated iptables rules. Crashing the server :)



Bypass proxy

You can use script execution, to use special tules to groups ou clients.
Example.
Lets say i want to allow direct web access to a specific IP address, without the use of a proxy. On a regular configuration a workstation can have SNAT and DNAT to allow internet traffic. But by rule of iptables, DNAT will always have priority.
You can use a script like:

- Filename: /usr/bin/NatACL_direct.sh

#!/bin/sh 
iptables -t nat -I NatACL_dnat_${2} -p tcp --dport 80 -s $1 -d 200.200.200.200 -j ACCEPT
iptables -t nat -A NatACL_snat_${2} -p tcp --dport 80 -s $1 -d 200.200.200.200 -j SNAT --to-source 1.1.1.1


This will force direct web access to ip destination 200.200.200.200.
To put this script on group policy, use:
# /usr/bin/NatACL_config group policy_add developers exec 1 '/usr/bin/NatACL_direct.sh'


This script will run "only once", so this options must be enabled.


You can use your regular iptables chains, in the above example, i use NatACL_dnat_{mac}, NatACL_snat_{mac} and NatACL_fwd{mac}, I recomment the use of this chains for performance reasons. but you can use PREROUTING, POSTROUTING and FORWARD chains..
The first argument on the script is the IP address of client, the second is the mac address in form of hexadecimal.