Find the answer to your Linux question:
Results 1 to 3 of 3
Hi All, what i'm trying to achieve is the following and I'm 99% there. This is the last little bit i need to do. I have a Transparent proxy server ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie
    Join Date
    Jul 2005
    Location
    Australia (Down Under)
    Posts
    141

    IPTABLES rule to redirect users to my internal webpage


    Hi All,

    what i'm trying to achieve is the following and I'm 99% there. This is the last little bit i need to do.

    I have a Transparent proxy server and use NTOP to monitor bandwidth, i want to use IPTABLES to redirect a user to a page on my internal apache/proxy server that says "you have used too much data today"

    my proxy, ntop, etc works, but I cant get that final IPTABLES rule to work.

    here is my existing IPTABLES rules
    Code:
    #!/bin/sh
    # squid server IP
    SQUID_SERVER="192.168.3.254"
    # Interface connected to Internet
    INTERNET="eth2"
    # Interface connected to LAN
    LAN_IN="eth0"
    # Squid port
    SQUID_PORT="8080"
    # DO NOT MODIFY BELOW
    # Clean old firewall
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    
    # Load IPTABLES modules for NAT and IP conntrack support
    modprobe ip_conntrack
    
    echo 1 > /proc/sys/net/ipv4/ip_forward
    # Setting default filter policy
    
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    # Unlimited access to loop back
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    # Allow UDP, DNS and Passive FTP
    iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
    # set this system as a router for Rest of LAN
    iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
    iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
    # unlimited access to LAN
    iptables -A INPUT -i $LAN_IN -j ACCEPT
    iptables -A OUTPUT -o $LAN_IN -j ACCEPT
    # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
    iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
    # if it is same system
    iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT -to-port $SQUID_PORT
    # DROP everything and Log it
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP
    my setup is as follows

    ISP Modem == Linksys Router == (eth2)Proxyserver (eth1) ==LAN

    what would the IPTABLES rule be to redirect all traffic from 192.168.3.200(a user PC) to 192.168.3.254 (Proxy/web server) on port 80.

    this way the user will be displayed with a message that says they have been blocked.


    I have tried a few things but none of them seemed to work for me.

    Thanks for your help
    Linux is the OS of tomorrow, Here today!!

  2. #2
    Just Joined!
    Join Date
    Feb 2009
    Posts
    22
    may be this helps.
    iptables -t nat -A PREROUTING -s 192.168.3.200 -i eth1 -j DNAT --to-destination 192.168.3.254

  3. #3
    Just Joined!
    Join Date
    Dec 2007
    Posts
    16
    This isn't an answer, so it's most likely useless.

    However, maybe what you want is to simply send everything to squid:
    s_port="3128"
    lan="eth0"
    iptables -t nat -A PREROUTING -i $lan -p tcp --dport 80 -j REDIRECT --to-port $s_port

    and then have squid take care of all your content filtering?
    Squid has other features too, and maybe you want to take advantage of them:
    password authentication
    caching
    specialized url rewriting, etc.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •