[PacketFence-users] iptables.conf/iptables.pm bug?

Mon, 04 Jun 2012 08:51:30 -0700 

Hi,

We are using inline mode right now and do not want to use NAT with
registered users. So we went to customize the iptables.conf to take out the
line and followed these instructions:

# If you want to do your own thing regarding NAT like for example:
# - allowing through instead of doing NAT (make sure you have the proper
return route)
# - traffic out on some interface other than management
# - overloading on multiple IP addresses
# Comment the next two lines and do it here on the POSTROUTING chain.
# Make sure to adjust the FORWARD rules also to allow traffic back-in.
:postrouting-int-inline-if - [0:0]
%%nat_postrouting_inline%%

But when we followed these instructions iptables kicked out a fatel error
about not being able to find postrouting-int-inline-if.so. We tried to get
rid of the error by initializing the chain for custom writing with
-N postrouting-int-inline-if but once we did that it just wrote all the
rules coded in iptables.pm as well as our custom rules. So we still ended
up the rule for registered users passing through NAT whether we wanted it
or not.

We ended up altering the foreach loop that sets the rules in iptables.pm

# Every marked packet should be NATed
foreach ($IPTABLES_MARK_UNREG, $IPTABLES_MARK_REG, $IPTABLES_MARK_ISOLATION) {

to:

foreach ($IPTABLES_MARK_UNREG, $IPTABLES_MARK_ISOLATION) {


It seems as though there is no other way to customize NAT use. Am I missing
anything?
-- 
John Baker
Network Administrator
Marlboro College
Phone: 451-7551 Cell: 490-0066

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to