From: "David Talbot" <dtalbot@reallinx.com>
To: lartc@vger.kernel.org
Subject: [LARTC] Redirecting wayward traffic
Date: Tue, 05 Jun 2001 13:09:41 +0000 [thread overview]
Message-ID: <marc-lartc-99174669408206@msgid-missing> (raw)
I'm working on getting my firewall machine to display a message to my users
any time they wander off of the OK'd list.
The problem is when I have the line at the bottom labeled the problem line,
it redirects all port 80 requests to the local machine without allowing the
ones on the OK'd list out. When that line is commented out the script works
perfectly. When a user types in amazon.com, they get amazon.com, when they
type in hotsheep.com thier browser times out. Anyone have any ideas how I
can just redirect the traffic that falls outside the wall to go back to the
local webserver to recieve a proper error message?
I know the problem lies in the use of DNAT in PREROUTING happening before
the denial items, but I couldn't find a postrouting way to do it... experts
help! :)
Basically What I've got is:
eth0 is the internet exposed side, eth1 is the internal (10.0.0.1) (Public
IP's blocked over)
iptables -F
iptables -F -t nat
iptables -X
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -d localhost -j ACCEPT
iptables -A FORWARD -d 10.0.0.1 -j ACCEPT
#ENABLE EVERYONE ACCESS TO THE DNS SERVER
iptables -t nat -A POSTROUTING -o eth0 -d 209.XXX.XXX.XXX -j MASQUERADE
iptables -A FORWARD -d 209.XXX.XXX.XXX -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 209.XXX.XXX.XXX -j MASQUERADE
iptables -A FORWARD -s 209.XXX.XXX.XXX -j ACCEPT
#ENABLE EVERYONE ACCESS TO THE INTERNAL SIDE OF THIS MACHINE
iptables -t nat -A POSTROUTING -o eth1 -d 10.0.01 -j MASQUERADE
iptables -A FORWARD -d 10.0.01 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -s 10.0.01 -j MASQUERADE
iptables -A FORWARD -s 10.0.01 -j ACCEPT
#ENABLE ACCESS TO amazon.com
iptables -t nat -A POSTROUTING -o eth0 -d amazon.com -j MASQUERADE
iptables -A FORWARD -d amazon.com -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s amazon.com -j MASQUERADE
iptables -A FORWARD -s amazon.com -j ACCEPT
#END OF ENABLE ACCESS TO amazon.com
#IF THEY STEP OUT OF THE WALL AND THEY'RE BROWSING, REDIRECT THEM TO THE
LOCAL
#THAT HAS ONLY A 404 ERROR SET TO DISPLAY A PAGE THAT SAYS THEY CAN ONLY GET
TO AMAZON
#THIS IS THE PROBLEM LINE
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1
#THIS IS THE PROBLEM LINE
iptables -A INPUT -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A FORWARD -j DROP
Thanks in advance!
-David Talbot
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/
next reply other threads:[~2001-06-05 13:09 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-06-05 13:09 David Talbot [this message]
2001-06-05 14:55 ` [LARTC] Redirecting wayward traffic Adrian Chung
2001-06-05 15:12 ` David Talbot
2001-06-05 15:48 ` Juri Haberland
2001-06-05 16:06 ` Adrian Chung
2001-06-05 16:20 ` David Talbot
2001-06-05 16:39 ` Adrian Chung
2001-06-05 16:43 ` Juri Haberland
2001-06-05 21:18 ` David Talbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-99174669408206@msgid-missing \
--to=dtalbot@reallinx.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox