[LARTC] Redirecting wayward traffic

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm working on getting my firewall machine to display a message to my users
any time they wander off of the OK'd list.

The problem is when I have the line at the bottom labeled the problem line,
it redirects all port 80 requests to the local machine without allowing the
ones on the OK'd list out. When that line is commented out the script works
perfectly. When a user types in amazon.com, they get amazon.com, when they
type in hotsheep.com thier browser times out.  Anyone have any ideas how I
can just redirect the traffic that falls outside the wall to go back to the
local webserver to recieve a proper error message?

I know the problem lies in the use of DNAT in PREROUTING happening before
the denial items, but I couldn't find a postrouting way to do it... experts
help! :)

Basically What I've got is:

eth0 is the  internet exposed side, eth1 is the internal (10.0.0.1) (Public
IP's blocked over)

iptables -F
iptables -F -t nat
iptables -X

iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -d localhost -j ACCEPT
iptables -A FORWARD -d 10.0.0.1 -j ACCEPT

#ENABLE EVERYONE ACCESS TO THE DNS SERVER
iptables -t nat -A POSTROUTING -o eth0 -d 209.XXX.XXX.XXX -j MASQUERADE
iptables -A FORWARD -d 209.XXX.XXX.XXX -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 209.XXX.XXX.XXX -j MASQUERADE
iptables -A FORWARD -s 209.XXX.XXX.XXX -j ACCEPT


#ENABLE EVERYONE ACCESS TO THE INTERNAL SIDE OF THIS MACHINE
iptables -t nat -A POSTROUTING -o eth1 -d 10.0.01 -j MASQUERADE
iptables -A FORWARD -d 10.0.01 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -s 10.0.01 -j MASQUERADE
iptables -A FORWARD -s 10.0.01 -j ACCEPT


#ENABLE ACCESS TO amazon.com
iptables -t nat -A POSTROUTING -o eth0 -d amazon.com -j MASQUERADE
iptables -A FORWARD -d amazon.com -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s amazon.com -j MASQUERADE
iptables -A FORWARD -s amazon.com -j ACCEPT
#END OF ENABLE ACCESS TO amazon.com


#IF THEY STEP OUT OF THE WALL AND THEY'RE BROWSING, REDIRECT THEM TO THE
LOCAL
#THAT HAS ONLY A 404 ERROR SET TO DISPLAY A PAGE THAT SAYS THEY CAN ONLY GET
TO AMAZON

#THIS IS THE PROBLEM LINE
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1
#THIS IS THE PROBLEM LINE


iptables -A INPUT -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A FORWARD -j DROP


Thanks in advance!

-David Talbot
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux