* DNAT and promiscuous mode @ 2004-04-26 17:03 Travis Johnson 2004-04-26 17:30 ` Cedric Blancher 0 siblings, 1 reply; 5+ messages in thread From: Travis Johnson @ 2004-04-26 17:03 UTC (permalink / raw) To: netfilter Hi, Is it possible to use DNAT on an interface that only runs in promiscuous mode to redirect web traffic to a different IP address? Traffic does not pass thru the firewall, only a single ethernet interface in promiscuous mode. Thanks, Travis Microserv ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: DNAT and promiscuous mode 2004-04-26 17:03 DNAT and promiscuous mode Travis Johnson @ 2004-04-26 17:30 ` Cedric Blancher [not found] ` <408D4875.2030407@ida.net> 0 siblings, 1 reply; 5+ messages in thread From: Cedric Blancher @ 2004-04-26 17:30 UTC (permalink / raw) To: Travis Johnson; +Cc: netfilter Le lun 26/04/2004 à 19:03, Travis Johnson a écrit : > Is it possible to use DNAT on an interface that only runs in promiscuous > mode to redirect web traffic to a different IP address? > Traffic does not pass thru the firewall, only a single ethernet > interface in promiscuous mode. Yes, you can handle traffic with a promisc interface just the way you handle it with a normal one as long as it is destined to its MAC address. But you may describe your setting and will a bit more, for I don't really understand the purpose of promisc there. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <408D4875.2030407@ida.net>]
* Re: DNAT and promiscuous mode [not found] ` <408D4875.2030407@ida.net> @ 2004-04-26 17:43 ` Cedric Blancher [not found] ` <408D4BA2.4030901@ida.net> 2004-04-26 20:27 ` Dick St.Peters 0 siblings, 2 replies; 5+ messages in thread From: Cedric Blancher @ 2004-04-26 17:43 UTC (permalink / raw) To: Travis Johnson; +Cc: netfilter Le lun 26/04/2004 à 19:35, Travis Johnson a écrit : > The traffic would not be destined to that MAC address, it would simply > be going past this machine. Do you mean this machine is bridge ? > I am looking to re-direct my customers that are past due to a > different web page. Then transparent proxying is what you need and do not require promiscuous mode. PS : you should reply to the list (at least Cc) -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <408D4BA2.4030901@ida.net>]
* Re: DNAT and promiscuous mode [not found] ` <408D4BA2.4030901@ida.net> @ 2004-04-26 18:02 ` Cedric Blancher 0 siblings, 0 replies; 5+ messages in thread From: Cedric Blancher @ 2004-04-26 18:02 UTC (permalink / raw) To: netfilter Le lun 26/04/2004 à 19:49, Travis Johnson a écrit : > No, this machine is not a bridge. It will simply sit and watch the > traffic go by. You can't do that this way, for you will duplicate traffic, as original packets will continue their journey to their original destination. You have to _intercept_ it. This kind of setting is OK : Internet ----- FW ------ DMZ | | `--- Alt.Web On the firewall, you set a mark based routing for HTTP packets to Alt.Web (see lartc.org cookbook). On Alt.web, you set a REDIRECT NAT for HTTP packets to proxy port (e.g. 3128) : iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT \ --to-ports 3128 HTTP proxy has to be configured for transparent proxying (see Squid docs). If you want interception to be more "transparent", you can use a bridge and use ebtables broute table or frame diverter in order to catch HTTP packets on the fly. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: DNAT and promiscuous mode 2004-04-26 17:43 ` Cedric Blancher [not found] ` <408D4BA2.4030901@ida.net> @ 2004-04-26 20:27 ` Dick St.Peters 1 sibling, 0 replies; 5+ messages in thread From: Dick St.Peters @ 2004-04-26 20:27 UTC (permalink / raw) To: netfilter Cedric Blancher writes: > Le lun 26/04/2004 à 19:35, Travis Johnson a écrit : > > I am looking to re-direct my customers that are past due to a > > different web page. > > Then transparent proxying is what you need and do not require > promiscuous mode. If the context is local users (such as dialup customers) accessing the internet, it's not necessary to run a proxy to divert them to a different web page. I do this with a combination of policy routing and DNAT. First, set aside a small block of IP addresses to be assigned only to overdue customers. RADIUS does this easily. Then route all web queries from these addresses to the overdue site using policy routing. I do this in a Cisco because it's there, but most any modern router, including a Linux box, will do. Then on the overdue site box, DNAT all packets from those sources to the IP address and port of the overdue site. This works like a charm and completely ignores traffic to/from other users. -- Dick St.Peters, stpeters@NetHeaven.com ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-04-26 20:27 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-04-26 17:03 DNAT and promiscuous mode Travis Johnson
2004-04-26 17:30 ` Cedric Blancher
[not found] ` <408D4875.2030407@ida.net>
2004-04-26 17:43 ` Cedric Blancher
[not found] ` <408D4BA2.4030901@ida.net>
2004-04-26 18:02 ` Cedric Blancher
2004-04-26 20:27 ` Dick St.Peters
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.