* Redirecting
@ 2003-09-15 8:21 Paul Caritj
0 siblings, 0 replies; 8+ messages in thread
From: Paul Caritj @ 2003-09-15 8:21 UTC (permalink / raw)
To: netfilter
Again I turn to the mailing list (its been a busy 48 hours)...
How would any of you approach the redirecting of traffic that does not
match one of my storied 8000 filters to an arbitrary IP address?
Whats this? Paul asking a question that is answerable? *Gasp* :)
Thanks a lot,
Paul
^ permalink raw reply [flat|nested] 8+ messages in thread
* redirecting
@ 2004-07-01 11:52 Askar Ali Khan
2004-07-01 12:05 ` redirecting Antony Stone
0 siblings, 1 reply; 8+ messages in thread
From: Askar Ali Khan @ 2004-07-01 11:52 UTC (permalink / raw)
To: netfilter
hi,
here im again with my simple question :), actually im learning netfilter thingy.
I want if i or someone else type www.microsoft.com on my box (linux,
netfilter) which is part of LAN instead of microsoft.com browrse give
him www.linuxiso.org
im practicing on my box and I will apply rule on this box. My boxes
use another system running (win) as router/gateway
I do know if i want to block microsoft.com or some other sites this
rule is working for me
#iptables -A OUTPUT -d www.microsoft.com -j DROP
but i duno how to redirect the request with iptables thingy,
antony i hope I will hear from you fast :)
im learning lot of things from you :D
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: redirecting
2004-07-01 11:52 redirecting Askar Ali Khan
@ 2004-07-01 12:05 ` Antony Stone
2004-07-01 12:29 ` redirecting Frank Gruellich
2004-07-01 15:36 ` redirecting Askar Ali Khan
0 siblings, 2 replies; 8+ messages in thread
From: Antony Stone @ 2004-07-01 12:05 UTC (permalink / raw)
To: netfilter
On Thursday 01 July 2004 12:52 pm, Askar Ali Khan wrote:
> hi,
> here im again with my simple question :), actually im learning netfilter
> thingy. I want if i or someone else type www.microsoft.com on my box
> (linux, netfilter) which is part of LAN instead of microsoft.com browrse
> give him www.linuxiso.org
> im practicing on my box and I will apply rule on this box. My boxes
> use another system running (win) as router/gateway
>
> I do know if i want to block microsoft.com or some other sites this
> rule is working for me
> #iptables -A OUTPUT -d www.microsoft.com -j DROP
> but i duno how to redirect the request with iptables thingy,
>
> antony i hope I will hear from you fast :)
> im learning lot of things from you :D
I would *really* recommend that you do this sort of thing with Squid instead
of netfilter, espcially since you have selected www.microsoft.com as the
address to be redirected.
Here's why:
$ dig www.microsoft.com
; <<>> DiG 9.2.3 <<>> www.microsoft.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40318
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 4, ADDITIONAL: 2
;; QUESTION SECTION:
;www.microsoft.com. IN A
;; ANSWER SECTION:
www.microsoft.com. 3600 IN CNAME www.microsoft.com.nsatc.net.
www.microsoft.com.nsatc.net. 300 IN A 207.46.156.156
www.microsoft.com.nsatc.net. 300 IN A 207.46.156.220
www.microsoft.com.nsatc.net. 300 IN A 207.46.244.188
www.microsoft.com.nsatc.net. 300 IN A 207.46.245.92
www.microsoft.com.nsatc.net. 300 IN A 207.46.245.156
www.microsoft.com.nsatc.net. 300 IN A 207.46.250.252
www.microsoft.com.nsatc.net. 300 IN A 207.46.144.188
www.microsoft.com.nsatc.net. 300 IN A 207.46.144.222
See all those different IP addresses? Those are what you would need to tell
netfilter about for it to do the redirection (and there's no guarantee
they'll be the same ones tomorrow, next week, next month....).
If you put a redirect rule into Squid, it will use www.microsoft.com instead
of an IP address, and you will get the result you want.
Also, Squid will help when you want to change things after the first / in the
URL too - netfilter cannot possibly do that for you.
Regards,
Antony.
--
The lottery is a tax for people who can't do maths.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: redirecting
2004-07-01 12:05 ` redirecting Antony Stone
@ 2004-07-01 12:29 ` Frank Gruellich
2004-07-01 13:08 ` redirecting Antony Stone
2004-07-01 15:36 ` redirecting Askar Ali Khan
1 sibling, 1 reply; 8+ messages in thread
From: Frank Gruellich @ 2004-07-01 12:29 UTC (permalink / raw)
To: netfilter
* Antony Stone <Antony@Soft-Solutions.co.uk> 1. Jul 04:
> On Thursday 01 July 2004 12:52 pm, Askar Ali Khan wrote:
> > hi,
Hello,
> > I want if i or someone else type www.microsoft.com on my box
> > (linux, netfilter) which is part of LAN instead of microsoft.com browrse
> > give him www.linuxiso.org
> > im practicing on my box and I will apply rule on this box. My boxes
> > use another system running (win) as router/gateway
> >
> > I do know if i want to block microsoft.com or some other sites this
> > rule is working for me
> > #iptables -A OUTPUT -d www.microsoft.com -j DROP
> > but i duno how to redirect the request with iptables thingy,
The rule would be
# iptables -t nat -I PREROUTING -d $IP_OF_MS -j DNAT --to-destination $IP_OF_LINUXISO
_But_...
> > antony i hope I will hear from you fast :)
Well, he was again faster.
> I would *really* recommend that you do this sort of thing with Squid instead
> of netfilter, espcially since you have selected www.microsoft.com as the
> address to be redirected.
>
> Here's why:
>
> $ dig www.microsoft.com
>
> [snip]
>
> ;; ANSWER SECTION:
> www.microsoft.com. 3600 IN CNAME www.microsoft.com.nsatc.net.
> www.microsoft.com.nsatc.net. 300 IN A 207.46.156.156
> www.microsoft.com.nsatc.net. 300 IN A 207.46.156.220
> www.microsoft.com.nsatc.net. 300 IN A 207.46.244.188
> www.microsoft.com.nsatc.net. 300 IN A 207.46.245.92
> www.microsoft.com.nsatc.net. 300 IN A 207.46.245.156
> www.microsoft.com.nsatc.net. 300 IN A 207.46.250.252
> www.microsoft.com.nsatc.net. 300 IN A 207.46.144.188
> www.microsoft.com.nsatc.net. 300 IN A 207.46.144.222
This would not be a problem, because the whole 207.46.0.0/16 belongs to
Microsoft, so IP_OF_MS="207.46.0.0/16" should work, but...
The webserver of www.linuxiso.org seems to use virtual hosts. The
HTTP-request contains the host-part of the URL. So this server tries to
find a virtual host called www.microsoft.com, fails and sends an error.
No, netfilter can't change this. I dunno if squid can.
HTH,
regards, Frank.
--
Sigmentation fault
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: redirecting
2004-07-01 12:29 ` redirecting Frank Gruellich
@ 2004-07-01 13:08 ` Antony Stone
0 siblings, 0 replies; 8+ messages in thread
From: Antony Stone @ 2004-07-01 13:08 UTC (permalink / raw)
To: netfilter
On Thursday 01 July 2004 1:29 pm, Frank Gruellich wrote:
> This would not be a problem, because the whole 207.46.0.0/16 belongs to
> Microsoft, so IP_OF_MS="207.46.0.0/16" should work, but...
Hm - good point; I hadn't thought of matching on the entire Class B subnet
just to redirect a website :)
> The webserver of www.linuxiso.org seems to use virtual hosts. The
> HTTP-request contains the host-part of the URL. So this server tries to
> find a virtual host called www.microsoft.com, fails and sends an error.
> No, netfilter can't change this. I dunno if squid can.
Squid can.
Antony.
--
Microsoft may sell more software than any other company, but McDonald's sell
more burgers than any other company, and I think the other similarities are
obvious...
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: redirecting
2004-07-01 12:05 ` redirecting Antony Stone
2004-07-01 12:29 ` redirecting Frank Gruellich
@ 2004-07-01 15:36 ` Askar Ali Khan
2004-07-01 15:46 ` redirecting Antony Stone
1 sibling, 1 reply; 8+ messages in thread
From: Askar Ali Khan @ 2004-07-01 15:36 UTC (permalink / raw)
To: netfilter
On Thu, 1 Jul 2004 13:05:17 +0100, Antony Stone
<antony@soft-solutions.co.uk> wrote:
>
>
> On Thursday 01 July 2004 12:52 pm, Askar Ali Khan wrote:
>
> > hi,
> > here im again with my simple question :), actually im learning netfilter
> > thingy. I want if i or someone else type www.microsoft.com on my box
> > (linux, netfilter) which is part of LAN instead of microsoft.com browrse
> > give him www.linuxiso.org
> > im practicing on my box and I will apply rule on this box. My boxes
> > use another system running (win) as router/gateway
> >
> > I do know if i want to block microsoft.com or some other sites this
> > rule is working for me
> > #iptables -A OUTPUT -d www.microsoft.com -j DROP
> > but i duno how to redirect the request with iptables thingy,
> >
> > antony i hope I will hear from you fast :)
> > im learning lot of things from you :D
>
> I would *really* recommend that you do this sort of thing with Squid instead
> of netfilter, espcially since you have selected www.microsoft.com as the
> address to be redirected.
>
> Here's why:
>
> $ dig www.microsoft.com
>
> ; <<>> DiG 9.2.3 <<>> www.microsoft.com
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40318
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 4, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;www.microsoft.com. IN A
>
> ;; ANSWER SECTION:
> www.microsoft.com. 3600 IN CNAME www.microsoft.com.nsatc.net.
> www.microsoft.com.nsatc.net. 300 IN A 207.46.156.156
> www.microsoft.com.nsatc.net. 300 IN A 207.46.156.220
> www.microsoft.com.nsatc.net. 300 IN A 207.46.244.188
> www.microsoft.com.nsatc.net. 300 IN A 207.46.245.92
> www.microsoft.com.nsatc.net. 300 IN A 207.46.245.156
> www.microsoft.com.nsatc.net. 300 IN A 207.46.250.252
> www.microsoft.com.nsatc.net. 300 IN A 207.46.144.188
> www.microsoft.com.nsatc.net. 300 IN A 207.46.144.222
>
> See all those different IP addresses? Those are what you would need to tell
> netfilter about for it to do the redirection (and there's no guarantee
> they'll be the same ones tomorrow, next week, next month....).
>
> If you put a redirect rule into Squid, it will use www.microsoft.com instead
> of an IP address, and you will get the result you want.
>
> Also, Squid will help when you want to change things after the first / in the
Thanks Antony for y0ou fast reply, actaully im practing on my own box
not on company cache server "squid"
Regards
Askar
> URL too - netfilter cannot possibly do that for you.
>
> Regards,
>
> Antony.
>
> --
> The lottery is a tax for people who can't do maths.
>
> Please reply to the list;
> please don't CC me.
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: redirecting
2004-07-01 15:36 ` redirecting Askar Ali Khan
@ 2004-07-01 15:46 ` Antony Stone
2004-07-01 15:58 ` redirecting Askar Ali Khan
0 siblings, 1 reply; 8+ messages in thread
From: Antony Stone @ 2004-07-01 15:46 UTC (permalink / raw)
To: netfilter
On Thursday 01 July 2004 4:36 pm, Askar Ali Khan wrote:
> On Thu, 1 Jul 2004 13:05:17 +0100, Antony Stone
>
> > I would *really* recommend that you do this sort of thing with Squid
> > instead of netfilter, espcially since you have selected www.microsoft.com
> > as the address to be redirected.
> >
> > If you put a redirect rule into Squid, it will use www.microsoft.com
> > instead of an IP address, and you will get the result you want.
> >
> > Also, Squid will help when you want to change things after the first / in
>
> Thanks Antony for y0ou fast reply, actaully im practing on my own box
> not on company cache server "squid"
Doesn't matter - install Squid at home too - there's no reason why not.
If you put it on the same machine as netfilter, you can play with transparent
proxying mode as well :)
Regards,
Antony.
--
Late in 1972 President Richard Nixon announced that the rate of increase of
inflation was decreasing. This was the first time a sitting president used
a third derivative to advance his case for re-election.
- Hugo Rossi, Notices of the American Mathematical Society
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: redirecting
2004-07-01 15:46 ` redirecting Antony Stone
@ 2004-07-01 15:58 ` Askar Ali Khan
0 siblings, 0 replies; 8+ messages in thread
From: Askar Ali Khan @ 2004-07-01 15:58 UTC (permalink / raw)
To: netfilter
On Thu, 1 Jul 2004 16:46:14 +0100, Antony Stone
<antony@soft-solutions.co.uk> wrote:
>
> On Thursday 01 July 2004 4:36 pm, Askar Ali Khan wrote:
>
> > On Thu, 1 Jul 2004 13:05:17 +0100, Antony Stone
> >
> > > I would *really* recommend that you do this sort of thing with Squid
> > > instead of netfilter, espcially since you have selected www.microsoft.com
> > > as the address to be redirected.
> > >
> > > If you put a redirect rule into Squid, it will use www.microsoft.com
> > > instead of an IP address, and you will get the result you want.
> > >
> > > Also, Squid will help when you want to change things after the first / in
> >
> > Thanks Antony for y0ou fast reply, actaully im practing on my own box
> > not on company cache server "squid"
>
> Doesn't matter - install Squid at home too - there's no reason why not.
>
> If you put it on the same machine as netfilter, you can play with transparent
> proxying mode as well :)
i will , but right now im learning netfilter thingy :)
>
> Regards,
>
> Antony.
>
> --
> Late in 1972 President Richard Nixon announced that the rate of increase of
> inflation was decreasing. This was the first time a sitting president used
> a third derivative to advance his case for re-election.
>
> - Hugo Rossi, Notices of the American Mathematical Society
>
>
>
> Please reply to the list;
> please don't CC me.
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2004-07-01 15:58 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-07-01 11:52 redirecting Askar Ali Khan
2004-07-01 12:05 ` redirecting Antony Stone
2004-07-01 12:29 ` redirecting Frank Gruellich
2004-07-01 13:08 ` redirecting Antony Stone
2004-07-01 15:36 ` redirecting Askar Ali Khan
2004-07-01 15:46 ` redirecting Antony Stone
2004-07-01 15:58 ` redirecting Askar Ali Khan
-- strict thread matches above, loose matches on Subject: below --
2003-09-15 8:21 Redirecting Paul Caritj
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox