I should point out that in order to get Masquerading working with iptables, and having an aliased interface, you will also have to consider adding routing entries in the routing table (Again easily done).
On Wed, 2004-07-28 at 11:30, Michael Petch wrote: > You are very much on the right track with what you posted here. I can > say that there are such devices out there that do things similar. > > Since you clearly have knowledge here, I will just answer this in > generalities. > > Clearly you already are on the right track with arp spoofing, and > accessing the arp requests to determine a static IP address and the > gateway. Clearly doable. > > Now with that said. How about this. You intercept the ARP request as you > suggest and you use spawn of calls to IFCONFIG and IPTABLES to do the > rest. > > You talk about creating a temporary alias so that your Gateway appears > as the gateway of the person with the static ip address. (spawn off a > call and run ifconfig - easily done). But then you have the problem of > routing the packets. I think the answer to this seems quite easy. At > this point assume you do have you have intercepted the arp packets, you > have brought up an aliased interface - now how about using IPTABLES and > DYNAMICALLY add Masquerading rules to do all the work for you? > > Of course you'd have to rework your iptables rules but this is not an > issue if you have the knowledge you seem to do about networking already. > > You talk about DNS requests. Seems simple. Add an IPTABLES rule that > says "Anything inbound from the internal interface using "DNS ports" > from "ANY Source IP Address" are redirected to a DNS server of your > choice. > > Now you may also want to consider tearing down aliases when they are no > longer in use. IE: A user logs in with a static IP, your gateway > reconfigures itself (Alias and IPTABLE rule changes). But lets say the > user disconnects. Then what? After a period of inactivity you probably > want to tear down the interface and Undo the iptables rules. > > Couple ways of looking at this. You monitor activity from the IP address > and if there is no activity for X number of minutes you tear things down > (You could create an IPTables userland filter). With less hassles You > could do a PING occasionally to the users system but what if they have a > firewall blocking ICMP? There are other types of Ping (hint). > > You seem very knowledgeable, and I believe you will be successful if you > proceed down the lines you have suggested. I do know of devices that do > just as you are suggesting, and they are not very complex if you use > Linux, a bit of programming, and usage of the tools of the OS. > > Mike Petch > > On Wed, 2004-07-28 at 01:39, Martin Glazer wrote: > > Hi All, > > > > I'm trying to figure out if any one knows a Linux s/w application or some > > other method of doing the following - > > > > I have a semi-public, controlled, internet access point (ethernet), in which > > anyone can connect their laptop, but what I want to avoid is for the person > > connecting (running Linux/Windows/Mac OS) from having to make any changes to > > their network configuration. ie. if they are running a dhcp client on their > > machine, then I will provide a dynamic address (easy enough), but if they > > already have a static IP, with associated gateway and nameserver, then I > > would still like to allow access for them, even though my network is on a > > completely different subnet, different gateway, different nameserver. The > > connecting laptop could have any IP address and I will not know the address > > or other network information beforehand. > > > > For example - the person connecting has a static IP, 192.168.10.55, gateway > > 192.168.10.1. My subnet is 172.16.128.0/24 with gateway 172.16.128.1. (For > > dhcp it is easy enough too do this and so I am not concerned with that case). > > I want that when 192.168.10.55 tries to access their gateway (192.168.10.1), > > somehow my gateway responds and allows them access, as well as routing the > > packets back to them. > > > > I was thinking of using some type of arp spoofing, so that when 192.168.10.55 > > sends an arp request for the gateway (192.168.10.1), my gateway responds to > > the arp but with it's address, and hence lets the request out. For the > > returning packet, I would need some method of association the requesting IP > > with the returning packet, maybe creating a temporary alias for my network > > card on my gateway? > > I would also have to intercept DNS requests as well and have my DNS server > > respond. > > > > Do I need some form of arp proxy? > > > > Can this even be done or am I totally dreaming? > > > > Thanks for any help and suggestions. > > > > Martin > > > > _______________________________________________ > > clug-talk mailing list > > [EMAIL PROTECTED] > > http://clug.ca/mailman/listinfo/clug-talk_clug.ca -- Mike Petch CApp::Sysware Consulting Ltd. Suite 1002,1140-15th Ave SW. Calgary, Alberta, Canada. T2R 1K6. (403)804-5700. _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
