Dynamic redirection? - Glen Becker

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Glen Becker <solar04@comcast.net>
To: netfilter@lists.netfilter.org
Subject: Dynamic redirection?
Date: 26 Feb 2004 00:42:31 -0500	[thread overview]
Message-ID: <1077774151.3036.78.camel@merlin> (raw)

Hello, I haven't been lurking here long but have tried the FAQs,
tutorials and How-To's.  I'm an iptables novice.  I thought this would
be simple; I hope I'm overlooking something obvious.

I have a Linux server acting as a gateway between the internet and the
internal network, allowing only authenticated hosts internet access.  I
have a simple FORWARD (policy DROP) ruleset into which individual hosts,
after authentication, are inserted and allowed internet access.  As each
host's session time expires, the corresponding ACCEPT rule is removed
from FORWARD.  That all works well.

Now I would like to do something like DNAT for http connections from
NON-authenticated hosts to a webserver on my gateway box, but still let
authenticated hosts through.

-t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.2.1
unfortunately catches everything.

Is there a way to "redirect" web connections only if the packet hasn't
already been ACCEPTed for forwarding?

For example:
Host 192.168.2.128 is authenticated and should be allowed any internet
connections.  http requests from all other internal hosts are sent to
the local web server:

-P FORWARD DROP
-A FORWARD -p udp --dport 53 -j ACCEPT
-A FORWARD -p udp --sport 53 -j ACCEPT
-A FORWARD -s 192.168.2.128 -p ALL -j ACCEPT
-A FORWARD -d 192.168.2.128 -p ALL -j ACCEPT
-A [something really smart like DNAT but only if the packet traverses
this far]

Thanks

-Glen

next             reply	other threads:[~2004-02-26  5:42 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-02-26  5:42 Glen Becker [this message]
2004-02-26  8:32 ` Dynamic redirection? Philip Craig
2004-02-26 15:24   ` Glen Becker
2004-02-26  9:25 ` Jeroen Vriesman
  -- strict thread matches above, loose matches on Subject: below --
2004-02-26  8:00 Daniel Chemko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1077774151.3036.78.camel@merlin \
    --to=solar04@comcast.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.