Redirect outgoing traffic

Redirect outgoing traffic

[Dean Montgomery]

We have a program for that allows teachers to turn off the Internet their
school classrooms.  Thea script shells into each workstations and blocks
outgoing traffic to any computer port 80, 8080, etc.

This works great.  However we would like something more end-user friendly.

I would like to change this so that the outgoing web traffic gets redirected
to a small web daemon that displays a message "The teacher has turned off the
internet".

Setting up the web daemon was easy.

However I do not know how to write an iptables firewall rule to redirect all
outgoing web traffic from the local workstation to a different ip and port.

e.g.
redirect any outgoing traffic to any ip on port 80,443,3128,8080 -to-
192.168.0.1 port 55580

Any ideas?

Re: Redirect outgoing traffic

[Amos Jeffries]

Dean Montgomery wrote:
> We have a program for that allows teachers to turn off the Internet their
> school classrooms.  Thea script shells into each workstations and blocks
> outgoing traffic to any computer port 80, 8080, etc.
> 
> This works great.  However we would like something more end-user friendly.
> 
> I would like to change this so that the outgoing web traffic gets redirected
> to a small web daemon that displays a message "The teacher has turned off the
> internet".
> 
> Setting up the web daemon was easy.
> 
> However I do not know how to write an iptables firewall rule to redirect all
> outgoing web traffic from the local workstation to a different ip and port.
> 
> e.g.
> redirect any outgoing traffic to any ip on port 80,443,3128,8080 -to-
> 192.168.0.1 port 55580
> 
> Any ideas?
> 

I think you will find it much easier to pass at least each classrooms 
traffic through a control point where all the 'fancy' configuration happens.

I'll admit to some bias being a Squid proxy developer. But take a good 
look at proxy software in general. They can do so much more for web 
traffic control based on many criteria than simple allow/deny at the 
firewall.


Amos Jeffries

Re: Redirect outgoing traffic

[Dean Montgomery]

Amos Jeffries wrote:
>
> I think you will find it much easier to pass at least each classrooms
> traffic through a control point where all the 'fancy' configuration
> happens.

We already have a proxy server running that captures all http traffic and 
filters it through dansguardian.

I would prefer to have an iptables rule on the client workstation to redirect 
http traffic to a different server.


e.g.
redirect any outgoing traffic to any ip on port 80,443,3128,8080 -to-
192.168.0.1 port 55580

I'm just looking for the right iptables syntax.

Thanks.




-- 
Dean Montgomery
Network Support Tech./Programmer
School District #73

Re: Redirect outgoing traffic

[Martijn Lievaart]

Dean Montgomery wrote:
> We have a program for that allows teachers to turn off the Internet their
> school classrooms.  Thea script shells into each workstations and blocks
> outgoing traffic to any computer port 80, 8080, etc.
>
> This works great.  However we would like something more end-user friendly.
>
> I would like to change this so that the outgoing web traffic gets redirected
> to a small web daemon that displays a message "The teacher has turned off the
> internet".
>
> Setting up the web daemon was easy.
>
> However I do not know how to write an iptables firewall rule to redirect all
> outgoing web traffic from the local workstation to a different ip and port.
>
> e.g.
> redirect any outgoing traffic to any ip on port 80,443,3128,8080 -to-
> 192.168.0.1 port 55580
>
> Any ideas?
>   

This can be done with a DNAT rule, if, and only if, the return traffic 
from the proxy goes back through the firewall. The syntax is trivial, 
use 'iptables -j DNAT -h' to get help on the syntax.

As the webdeamon is trivial, you can also set it up on the firewall 
itself. That way you don't have the issue with the return traffic.

For https do note that the client will always get an ugly certificate 
warning (certificate does not match requested name and probably a second 
one that the root certificate is not trusted). This cannot be helped 
(easily).

HTH,
M4

Re: Redirect outgoing traffic

[Dean Montgomery]

On September 24, 2007, you wrote:
> Dean Montgomery wrote:
> > We have a program for that allows teachers to turn off the Internet their
> > school classrooms.  Thea script shells into each workstations and blocks
> > outgoing traffic to any computer port 80, 8080, etc.
> >
> > This works great.  However we would like something more end-user
> > friendly.
> >
> > I would like to change this so that the outgoing web traffic gets
> > redirected to a small web daemon that displays a message "The teacher has
> > turned off the internet".
> >
> > Setting up the web daemon was easy.
> >
> > However I do not know how to write an iptables firewall rule to redirect
> > all outgoing web traffic from the local workstation to a different ip and
> > port.
> >
> > e.g.
> > redirect any outgoing traffic to any ip on port 80,443,3128,8080 -to-
> > 192.168.0.1 port 55580
> >
> > Any ideas?
>
> This can be done with a DNAT rule, if, and only if, the return traffic
> from the proxy goes back through the firewall. The syntax is trivial,
> use 'iptables -j DNAT -h' to get help on the syntax.

Only problem with this is that I want the rule on the local workstation and 
not on the nat box.  DNAT table is not picked up by local traffic leaving the 
workstation.

So this does not work...
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j 
DNAT --to-destination :48888



-- 
Dean Montgomery
Network Support Tech./Programmer
School District #73

Re: Re: Redirect outgoing traffic

[Gáspár Lajos]

Dean Montgomery írta:
> Only problem with this is that I want the rule on the local workstation and 
> not on the nat box.  DNAT table is not picked up by local traffic leaving the 
> workstation.
>
> So this does not work...
> iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j 
> DNAT --to-destination :48888
>
>   
But int the OUTPUT chain....
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j DNAT ....

Swifty