Documentation - README.en




NatACL, After version 200606XX, is made of 3 programs.
* NatACL_dhcp - Extreme simples version of a DHCP server.
* NatACL_web - Web Authenticator for transparent proxy or NAT.
* NatACL_netdetect - Network statistic collector.
The objective of these programs is to restrict access from unauthorized machines.


    The DHCP server is a extreme simple version of a full dhcp, it just do the basic functions to provide IP address.
    The difference is that with this server, you can create rules from iptables and associate bind to users groups. You can also enforce users to use DHCP client, and block those who not use it ( eg. static address).
    You can also create group policies, where some groups can access internet thru NAT, or force the user to authenticated himself over WEB , using NatACL_web.


    It is a http server, with help from iptables it can be used to intercept http requests from external sites, it will show a html page, requesting login/passsword. If the user provides the correct login/password, NatACL_web will them create the iptables rules to allow access to internet.
This new rule will keep active until a expiration method be enabled, There are 3 types of methods:
* EXPIRE_PING - Send icmp request to the targer machine. ( The expiration occurs when the ping fail )
* EXPIRE_TIME - Use a time interval.
* EXPIRE_POPUP - Open a html popup on the client's browser, the expiration occurs when this window popup is closed.

There are 3 types of authentication: ( more are avaliable from external plugins ( download )).
* AUTH_POP3 - Use a POP3 server to check for login/password.
* AUTH_UNIX - Use the internal linux system password. ( passwd/shadow )
You can also download external modules:

* AUTH_MYSQL - Use mysql for login/password.



A daemon that will listen every interface on the system, and creating statistic for use with mrtg, or others programs.
This statistics will be splitted by group.






The first thing to do is delete any DNAT,SNAT and FORWARD Rule. and set iptables default FORWARD poliy to DROP.
'iptables -P FORWARD DROP'

Locks. ( Recommended )
Iptables can not be running twice at the same time, you must create a lock file when you run your firewall script.
In the beginning of your firewall script put this line:
touch /var/NatACL/dhcp.lock
And in the end:
rm -f /var/natACL/dhcp.lock



After you configure your iptables script. you must create a interface for each group you plan to use.
ifconfig eth0:1 netmask
ifconfig eth0:2 netmask
ifconfig eth0:3 netmask
On the example above, i' ve created 3 interface alias, for groups 'unknown' , 'board' and 'hr'


To bind the interfaces to the groups, you must inform NatACL:
Use the command 'NatACL_config group add':
/usr/bin/NatACL_config group add <group_name> <interface> <dns_address> <wins_address> <domain>
NatACL_config group add unknown eth0:1
NatACL_config group add board eth0:2
NatACL_config group add hr eth0:3
Ps: if you dont have a wins server, you can put as address.

!!! ************************* IMPORTANT: YOU MUST CREATE A GROUP CALLED 'unknown' ***************************** !!!
The group 'unknown' is the NatACL default group.

After this is done, you have a working dhcp server, any new computers that request a new IP address, will be
automaticly added to the group 'unknown'.

Clientes ( Workstations ).

You can verify if a computer is in the NatACL database.
/usr/bin/NatACL_config client list
To change the computers' group:
/usr/bin/NatACL_config client group <mac address> <group name>
/usr/bin/NatACL_config client group 00:c0:f1:d3:d4:e3 board
/usr/bin/NatACL_config client group 00:50:b1:d4:aa:c3 hr
On some dhcp clients, the nenew of the ip address can take 5 minutes.
In most cases in max 30 seconds.

Group Policies

Now you have a working dhcp, but your stations dont have internet access.
You must configure your group policies:
/usr/bin/NatACL_config group policy_add <group_name> [<type> <type_options>]
There are 4 types of rules:
SNAT - source nat, to allow direct access to internet thru nat.
DNAT - destination nat, to use a transparent proxy.
NATACL - Web Authenticator ( see on chapter NatACL )
EXEC - run a shell command.


To use source nat on a group, use:
/usr/bin/NatACL_config group policy_add <grupo> snat <snat_address>
/usr/bin/NatACL_config group policy_add board snat
In the example above, when one station from group board request a new IP to dhcp. the dhcp will add a new rule on iptables, allowing the IP to access the internet thru NAT.


To Use DNAT use:
/usr/bin/NatACL_config group policy_add <grupo> dnat <dnat_address> <dnat_port>
NatACL_config group policy_add board dnat 3128

In the example above, when one station from group board request a new IP to dhcp. the dhcp will add a new rule to iptables, allowing the IP to access internet thru proxy running on


Execute a shell command:
The first parameter after 'exec' defines if the command will be executed only once or every time a dhcp client request an ip address. ( the minimun interval is 5 minutes ).
NatACL_config group policy_add board exec 0 '/usr/bin/'

The paremeter used in scripts are:
$1 ( First parameter ) Ip Address
$2 ( Second parameter ) MAC_address

For performance reasons, and cleanup on NatACL initializationm i strongly advise you to use the following iptables chains:
If i want to deny a destination IP address from a group:
iptables -t nat -I NatACL_fwd_${2} -p ALL -s $1 -d -j DROP
And add a policy like:
# NatACL_config group policy_add developers exec 1 '/usr/bin/'


By default, every group on natacl cannot comunicate with another group, you must set groups' permissions.
In this example, the group board will see the group 'hr' and 'development', ( and the reverse, hr and

development will see the group board )

NatACL_config group policy_add board group hr
NatACL_config group policy_add board group development
I recomend to not allow any group to access the group 'unknown', this group is only for temporary machines.

Client Policies

The use is almost the same as group policy.
Just Use NatACL_config client instead of NatACL_config group, also use MAC address instead of group name.


If you have configured the items above, you already have a working dhcp, and your stations have internet access.
But if you want to enforce the user to authenticated over WEB, before have any internet access. You must use NatACL_web.
First you must add a group_policy ( or a client_policy ).
/usr/bin/NatACL_config group policy_add <grupo> natacl <multiple_sessions 1/0> <expire_options> <authentication_options>

<multiple_session> is a boolean value( 0/1 ), it allows multiple logins using the same username.
<expire_option> define the expiration method. There are 3 types:
ping_interval e time_intaval are time values in seconds.

<item authentication_options> defines the authentication type, these value can change from plugin to plugin.|SERVER=<server>
where <server> is the POP3 server.
NatACL_config group policy_add hr natacl 1 EXPIRE_POPUP
NatACL_config group policy_add hr natacl 1 EXPIRE_TIME=3600
NatACL_config group policy_add hr natacl 1 EXPIRE_POPUP '|SERVER='

When the web authentication occurs, NatACL will search the others policy groups and execute them.


If you want mrtg to generate statistic on NatACL groups, you must start the NatACL_netdetect.

# NatACL_netdetect

This is a daemon program, it will capture all network packets, and generating statistic splited by group.
You can run NatACL_netdetect_collector to see this statistics.

# NatACL_netdetect_collector stats external unknown
This will show the total bytes sent and total bytes received by all machines on group 'unkown' to the internet.
In Mrtg.conf you should have something like:
Target[vol_unknown]: `/usr/bin/NatACL_netdetect_collector stats external unknown`
Options[vol_unknown]:growright,nopercent, noinfo, nobanner
WithPeak[vol_unknown]: wmy
Legend3[vol_unknown]: Top IN
Legend4[vol_unknown]: Top Out


To start dhcp: