[GLLUG] iptables help

Melson, Paul PMelson at sequoianet.com
Tue Feb 3 08:02:56 EST 2004

Unfortunately, iptables can't do any sort of upper-layer
inspection/rewriting the way some other firewalls can, so you will have
to tweak a web server somewhere to issue a generic response regardless
of request.  The actual redirection is pretty straightforward, though:

# Set NAT/Mangle policies
/sbin/iptables -t nat --policy PREROUTING ACCEPT
/sbin/iptables -t nat --policy OUTPUT ACCEPT
/sbin/iptables -t nat --policy POSTROUTING ACCEPT
/sbin/iptables -t mangle --policy PREROUTING ACCEPT
/sbin/iptables -t mangle --policy OUTPUT ACCEPT
# Example redirect rule
/sbin/iptables -t nat -A PREROUTING -p tcp -d [restricted-net] --dport
80 -j REDIRECT --to [websvr-ip] --to-port 80


> -----Original Message-----
> From: Mike Rambo [mailto:mrambo at lsd.k12.mi.us]
> Sent: Monday, February 02, 2004 3:31 PM
> To: Gllug List
> Subject: [GLLUG] iptables help
> How do I configure iptables on a box to redirect all port 80 requests
> (regardless of nature) to one specific ip address which will contain
> instructions for the user?
> We have certain networks that are closed networks unless expressly
> permitted - meaning that they don't route unless acl's are updated to
> permit it. We do this by leasing the ip address based up mac 
> address and
> then running a daemon to update the firewall dynamically to pass
> approved traffic.
> The problem with this presently is that the user of a box that has not
> went through the approval process only sees that the computer doesn't
> work but provides no useful feedback - it times out or gets a non
> specific error depending on how we set it up. We'd like to add a small
> dhcp scope that supplies addresses to whoever plugs a machine 
> in to the
> drop but then sends all requests from those addresses to a 
> specific web
> page on an internal server (probably on the same subnet) that gives
> instuctions on what to do to request approved access.
> There are bunches of how-tos for forwarding external internet 
> traffic to
> internal web servers but I haven't found anything for redirecting
> internal boxes to internal web pages particularly when they are on the
> same subnet. Compounding the problem is that the requests 
> from external
> boxes from many places all directed to one place - the web server. We
> need to intercept internal requests directed to many/any locations -
> probably none of them to the web server and redirect them 
> there anyway.
> I've tried various combinations of DNAT and SNAT but haven't found the
> magic combination. Seems like I recall MSU does some of this 
> - maybe in
> the dorms or something. Anyone know how?
> Thanks.
> -- 
> Mike Rambo
> mrambo at lsd.k12.mi.us
> _______________________________________________
> linux-user mailing list
> linux-user at egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user

More information about the linux-user mailing list