View this page in English

Censornet - internet filtering on your terms

BECTA Accredited products VMWare Certified Virtual Appliance Members of the Internet Watch Foundation Shortlisted for the BETT 2008 Awards Computer Security Awards finalist

Chat online now or call +44 (0) 845 230 9590 for help & advice

How to completely bypass an IP or subnet in inline mode

August 18, 2011 • Administrator

Synopsis

This article explains how to use the underlying firewall on your CensorNet server to completely bypass an IP or subnet when in inline mode. This is particularly useful for bypassing sites that are local and do not require filtering or for servers that are using a non-standard HTTP protocol which can confuse CensorNet.

Article

When the CensorNet server is running in "inline mode" it is acting as a transparent bridge, usually with one NIC connected to the router and the other to the network LAN. Data passing over the bridge will be inspected and anything desti\
ned for port 80 and 443 (in both directions) will be scanned by CensorNet.

In certain circumstances you may want to exclude certain IP addresses or subnets from being intercepted and filtered by CensorNet - examples would be internal servers.

To set the exclusion:

Log into the CensorNet server as root and type:

nano /etc/network/interfaces

Scroll down to the lines that start pre-up /sbin/ebtables and pre-up /sbin/iptables (they also both end in --redirect-target ACCEPT) and insert some blank lines above them.

In the newly created space, insert the following lines, replacing 192.168.1.10 with your desired subnet or single IP address (e.g. 10.10.10.0/24 or 192.168.1.250):

pre-up /sbin/iptables -t nat -F
pre-up /sbin/ebtables -t broute -F

pre-up /sbin/ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination 192.168.1.10 -j ACCEPT
pre-up /sbin/iptables -t nat -A PREROUTING -d 192.168.1.10 -j ACCEPT

Repeat the last two lines for each IP address/subnet you want to bypass.

Press Ctrl+X then Y followed by Enter.

You should now lock the file, so that the custom rules are not removed by the setup program in future. To do this type:

chattr +i /etc/network/interfaces

Don't forget if you want to edit the file again you need to reverse the lock with chattr -i /etc/network/interfaces

Now type the following on one line to activate the new rules (they may take serveral seconds to take effect):

ifdown br0;ifup br0

The bypassed IP/subnet will not be intercepted by CensorNet and therefore no filtering or reporting will take place at all.

Example rule to allow all SSL from a particular computer

pre-up /sbin/iptables -t nat -A PREROUTING -s x.x.x.x -p tcp --dport 443 -j ACCEPT
pre-up /sbin/ebtables -t broute -A BROUTING --ip-source x.x.x.x -p IPv4 --ip-protocol 6 --ip-destination-port 443 -j ACCEPT

(replace x.x.x.x with the IP address)

Last modified on Thu, August 18, 2011 « Back

Twitter Icon - Click Here To Follow Us

Follow us on Twitter...

Stay up to date with the latest news, special offers and advice from CensorNet on Twitter... we are Tweeting regularly!

Join our mailing list

CensorNet Ltd is a registered company in England & Wales No. 05518629. © 2005-2011 CensorNet Ltd.
CensorNet™ and the 'CensorNet logo' are registered trademarks of CensorNet Ltd. All rights reserved. E&OE.
CensorNet web filtering is certified for VMware ® environments. VMware® is a trademark of VMware Inc.

Tel: +44 (0)845 230 9590 Fax: +44 (0)845 230 9591 Email: Click here to email us
Site Map | Privacy Policy | Terms & Conditions of Sale | Web Site Terms & Conditions

Back to the top