On 10/31/07 12:02, dhottinger@xxxxxxxxxxxxxxxxxxxxxx wrote:
Cool and thanks,
So something like: $IPC -t nat -A PREROUTING -d cantbustme.net -j
DNAT --to-destination mywebserver.com ? Where cantbustme is the site
I want to redirect and mywebserver is the box with the youve been
busted page?
Yes, well sort of. Keep in mind that IPTables operates on a packet
level (OSI Layers 2 and / or 3), not the URL level (OSI Layer 7). Thus
if you have multiple different web sites all residing on the same
server, IPTables by default has no way to differentiate packets going to
one URL over packets going to another URL. (That is not quite true, you
could use Layer 7 filtering to do this.) Also keep in mind that the
IPTables binary will translate the names to IP addresses at the time the
command was run. So if the IP address changes you will need to update
your rule. All this being said, yes your rule will catch and DNAT
(redirect) packets to your server.
A gotcha to keep in mind is that if you redirect internal clients
traffic back to an internal web server, the internal web server will see
the traffic as coming from the internal client (purportedly) directly to
the internal web server and as such reply from the internal web server
directly to the internal client. In such cases your internal client
will see an out going connection to one supposed external server and
getting this unknown not correctly initiated TCP connection from this
rude internal web server that needs to be told where to go. One way to
work around this is to SNAT the traffic that is being DNATed by your
firewall to the internal web server such that replies from the web
server are sent back to the internal firewall which will unSNAT and
unDNAT the traffic and send it back to the original client in such a way
that the original client is perfectly happy with the traffic thinking it
came from the original destination server.
What a lot of people do is configure a proxy server on the firewall and
configure clients to use it. Any clients that try to bypass the proxy
by connecting directly get redirected to the proxy server port that is
listening in transparent proxy mode. This way they can force everyone
to use the proxy. In short, have the proxy answer normal proxy queries
on its standard port (Squid uses 3128) and also listen in transparent
proxy mode on port 80. This way you only need to use one statement in
IPTables to redirect (via the REDIRECT target) traffic passing through
the firewall on port 80 to the local port 80 that is listening in
transparent proxy mode.
I personally prefer to have clients be aware that they are connecting to
a proxy server rather than using transparent proxying for everything.
It is my (possibly misguided) long held belief that talking to a proxy
as a proxy is better than talking to a proxy as a web server.
The difference between the REDIRECT target and the DNAT target is that
DNAT will send the traffic any where you tell it to where as REDIRECT
only alters the destination to be the local IP address of the interface
the traffic that it comes in on. Thus when you want to redirect traffic
to a proxy running on the local system the REDIRECT target will work
just fine where as when you want to redirect traffic to a proxy running
on a different system you will need to DNAT and SNAT the traffic.
Grant. . . .
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
