REDIRECT

REDIRECT

[Juliano Murlick]

[-- Attachment #1: Type: text/plain, Size: 1708 bytes --]

Hello All,
I wanna rediect all conections from 192.168.1.0/24 network to a 10.0.0.2
server on 80 port for a 172.65.15.11 server, also on  80 port,  for that, i
did some things: 
 
1 - All rules/iptables is on route 1;
2 - The route 2 don't filter any packet, just route, i can ping from a
client machine (192.168.1.25) to the both server and connect to a 80 port on
both server, and then, i don't have any problem of routing. When a read the
rules i can't connect any more on server 10.0.0.2, just direct to a server
172.16.15.11;
3 - My rules on iptables are:
 
    iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d
10.0.0.2--dport 80 -j ACCEPT
    iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d
172.16.15.11--dport 80 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp --sport 1024:65535 -d 10.0.0.2
--dport 80 -j DNAT --to 172.16.15.11:80

 
 
                                                         (Server 1)
                                                        +----------+
      (Client)           ( Linux - Router 1)       |----| 10.0.0.2 |
 +---------------+    +-----------------------+    |    +----------+
 | 192.168.1.25  |----|192.168.1.1 / 10.0.0.1 |----|                     
 +---------------+    +-----------------------+    |          (Route 2)
(Server 2)
                                                   |
+----------------------+    +--------------+
                                                   |----|10.0.0.3 /
172.16.15.1|----| 172.16.15.11 |
 
+----------------------+    +--------------+
 
 
But it doesn't working ... anyone has any idea ??? 
 
Thanks in advance!
 
Att,
Juliano Murlick
 

[-- Attachment #2: Type: text/html, Size: 7869 bytes --]

Re: redirect

[dhottinger]

Quoting Georgi Alexandrov <georgi.alexandrov@gmail.com>:

> dhottinger@harrisonburg.k12.va.us wrote:
>> Quoting Georgi Alexandrov <georgi.alexandrov@gmail.com>:
>>
>>> dhottinger@harrisonburg.k12.va.us wrote:
>>>> I currently redirect all traffic on port 80 to my proxy server with
>>>> $IPC -t nat -A PREROUTING -p tcp -i ! $IF --dport 80    -s !
>>>> 204.111.40.0/24 -d ! 204.111.40.0/24 -j DNAT --to-destination
>>>> $PROXY_IP:8080
>>>>
>>>> I would like to have any traffic destined for apple.com excluded from
>>>> this redirect.  I cant seem to get the syntax right.  Anyone got any
>>>> ideas?
>>> <snip*>
>>>
>>> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d $apples_net
>>> -j RETURN
>>>
>>> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d
>>> $another_not_to_proxy_network -j RETURN
>>>
>>> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -j DNAT --to
>>> $proxy:$port
> <snip*>
>>
>> Never mind.  Doesnt seem to be working.  Any other ideas?
>
> What's not working?
>
> --
> regards,
> Georgi Alexandrov
>
> key server - pgp.mit.edu :: key id - 0x37B4B3EE
> Key fingerprint = E429 BF93 FA67 44E9 B7D4  F89E F990 01C1 37B4 B3EE
>
>

$IPC -t nat -A PREROUTING -p tcp -i $IF --dport 80 -d 17.250.0.0
-j RETURN

Is not routing apple.com traffice away from my proxy.  Apple.com  
traffic is still getting routed to proxy server.  I have the rule  
placed above my dnat rule for the proxy.  Any other ideas?

thanks,
ddh
-- 
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools

Re: redirect

[Georgi Alexandrov]

[-- Attachment #1: Type: text/plain, Size: 1115 bytes --]

dhottinger@harrisonburg.k12.va.us wrote:
> Quoting Georgi Alexandrov <georgi.alexandrov@gmail.com>:
> 
>> dhottinger@harrisonburg.k12.va.us wrote:
>>> I currently redirect all traffic on port 80 to my proxy server with
>>> $IPC -t nat -A PREROUTING -p tcp -i ! $IF --dport 80    -s !
>>> 204.111.40.0/24 -d ! 204.111.40.0/24 -j DNAT --to-destination
>>> $PROXY_IP:8080
>>>
>>> I would like to have any traffic destined for apple.com excluded from
>>> this redirect.  I cant seem to get the syntax right.  Anyone got any
>>> ideas?
>> <snip*>
>>
>> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d $apples_net
>> -j RETURN
>>
>> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d
>> $another_not_to_proxy_network -j RETURN
>>
>> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -j DNAT --to
>> $proxy:$port
<snip*>
> 
> Never mind.  Doesnt seem to be working.  Any other ideas?

What's not working?

-- 
regards,
Georgi Alexandrov

key server - pgp.mit.edu :: key id - 0x37B4B3EE
Key fingerprint = E429 BF93 FA67 44E9 B7D4  F89E F990 01C1 37B4 B3EE


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: redirect

[dhottinger]

Quoting Georgi Alexandrov <georgi.alexandrov@gmail.com>:

> dhottinger@harrisonburg.k12.va.us wrote:
>> I currently redirect all traffic on port 80 to my proxy server with
>> $IPC -t nat -A PREROUTING -p tcp -i ! $IF --dport 80    -s !
>> 204.111.40.0/24 -d ! 204.111.40.0/24 -j DNAT --to-destination
>> $PROXY_IP:8080
>>
>> I would like to have any traffic destined for apple.com excluded from
>> this redirect.  I cant seem to get the syntax right.  Anyone got any ideas?
> <snip*>
>
> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d $apples_net
> -j RETURN
>
> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d
> $another_not_to_proxy_network -j RETURN
>
> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -j DNAT --to
> $proxy:$port
>
> --
> regards,
> Georgi Alexandrov
>
> key server - pgp.mit.edu :: key id - 0x37B4B3EE
> Key fingerprint = E429 BF93 FA67 44E9 B7D4  F89E F990 01C1 37B4 B3EE
>
>

Never mind.  Doesnt seem to be working.  Any other ideas?

ddh


-- 
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools

Re: redirect

[dhottinger]

Quoting Georgi Alexandrov <georgi.alexandrov@gmail.com>:

> dhottinger@harrisonburg.k12.va.us wrote:
>> I currently redirect all traffic on port 80 to my proxy server with
>> $IPC -t nat -A PREROUTING -p tcp -i ! $IF --dport 80    -s !
>> 204.111.40.0/24 -d ! 204.111.40.0/24 -j DNAT --to-destination
>> $PROXY_IP:8080
>>
>> I would like to have any traffic destined for apple.com excluded from
>> this redirect.  I cant seem to get the syntax right.  Anyone got any ideas?
> <snip*>
>
> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d $apples_net
> -j RETURN
>
> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d
> $another_not_to_proxy_network -j RETURN
>
> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -j DNAT --to
> $proxy:$port
>
> --
> regards,
> Georgi Alexandrov
>
> key server - pgp.mit.edu :: key id - 0x37B4B3EE
> Key fingerprint = E429 BF93 FA67 44E9 B7D4  F89E F990 01C1 37B4 B3EE
>
>

That seems to work.  I did:
$IPC -t nat -A PREROUTING -p tcp -i $IF --dport 80 -d 17.0.0.0/8 -j RETURN

Dont see the connections in my access.log on my proxy now.


-- 
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools

Re: redirect

[Georgi Alexandrov]

[-- Attachment #1: Type: text/plain, Size: 864 bytes --]

dhottinger@harrisonburg.k12.va.us wrote:
> I currently redirect all traffic on port 80 to my proxy server with
> $IPC -t nat -A PREROUTING -p tcp -i ! $IF --dport 80    -s !
> 204.111.40.0/24 -d ! 204.111.40.0/24 -j DNAT --to-destination
> $PROXY_IP:8080
> 
> I would like to have any traffic destined for apple.com excluded from
> this redirect.  I cant seem to get the syntax right.  Anyone got any ideas?
<snip*>

iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d $apples_net
-j RETURN

iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d
$another_not_to_proxy_network -j RETURN

iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -j DNAT --to
$proxy:$port

-- 
regards,
Georgi Alexandrov

key server - pgp.mit.edu :: key id - 0x37B4B3EE
Key fingerprint = E429 BF93 FA67 44E9 B7D4  F89E F990 01C1 37B4 B3EE


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

redirect

[dhottinger]

I currently redirect all traffic on port 80 to my proxy server with
$IPC -t nat -A PREROUTING -p tcp -i ! $IF --dport 80    -s !  
204.111.40.0/24 -d ! 204.111.40.0/24 -j DNAT --to-destination  
$PROXY_IP:8080

I would like to have any traffic destined for apple.com excluded from  
this redirect.  I cant seem to get the syntax right.  Anyone got any  
ideas?

thanks,

ddh

-- 
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools

Re: redirect

[TheGesus]

See below... apparently it's listening on port 95...

Not Found
The requested URL / was not found on this server.

--------------------------------------------------------------------------------

Apache/1.3.33 Server at swscan.apple.com Port 95

On 3/2/07, dhottinger@harrisonburg.k12.va.us
<dhottinger@harrisonburg.k12.va.us> wrote:
> I posted a question yesterday and I dont think I worded it very well.
> Im having problems with software updates on Apple computers.  I think
> it is an issue with my squid proxy server.  So I would like to make a
> rule set that says redirect all port 80 traffic except traffic going
> to apple.com's software update servers.  When connecting to apple
> software updates you connect to swscan.apple.com which downloads an
> xml file, then get redirected to an akamaitechnologies.com server for
> the downloads.  Im not quite certain yet why things are failing with
> my squid proxy server in the loop, but going around it lets the
> software updates work.  So, if any of the iptables gurus have a
> formula for this I would be very happy to try.
>
> thanks,
>
> ddh
>
>
> --
> Dwayne Hottinger
> Network Administrator
> Harrisonburg City Public Schools
>
>
>

redirect

[dhottinger]

I posted a question yesterday and I dont think I worded it very well.   
Im having problems with software updates on Apple computers.  I think  
it is an issue with my squid proxy server.  So I would like to make a  
rule set that says redirect all port 80 traffic except traffic going  
to apple.com's software update servers.  When connecting to apple  
software updates you connect to swscan.apple.com which downloads an  
xml file, then get redirected to an akamaitechnologies.com server for  
the downloads.  Im not quite certain yet why things are failing with  
my squid proxy server in the loop, but going around it lets the  
software updates work.  So, if any of the iptables gurus have a  
formula for this I would be very happy to try.

thanks,

ddh


-- 
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools

redirect

[ngabor]

Hi.

Main firewall PREROUTING Chain:
ACCEPT     all  --  192.168.10.x0       0.0.0.0/0
ACCEPT     all  --  192.168.10.x1       0.0.0.0/0
...
DNAT       tcp  --  0.0.0.0/0            x.y.z.v       multiport dports
80,22,8180 to:192.168.30.y
REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir
ports 80

192.168.10.x0, 192.168.10.x1 internet enabled,
other internal ip 192.168.10._ redirect main server 80 port.
server x.y.z.v DNAT DMZ,
if 192.168.10.x0, 192.168.10.x1 send http: to x.y.z.v pub.ip-address,
then send my REDIRECTED SERVER.
WHILE?

by gab





----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Re: REDIRECT

[Henrik Nordstrom]

On Mon, 13 Dec 2004, r00t wrote:

> Ok, but if i use this:
>
> -A PREROUTING -p tcp -j QUEUE
> -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

You can't. QUEUE terminates the PREROUTING hook.

You need to queue before nat PREROUTING if you want to apply NAT rules on 
packets after QUEUE reinjects them to the kernel, i.e. from mangle or raw 
tables.

Regards
Henrik

Re: REDIRECT

[Meg]

Hi, r00t.



>>> How to i make by libipq  this rule:
>>> -j REDIRECT --to-ports 3128 ?

>>You don't.
>>REDIRECT or other NAT related operations must be done in the kernel.

> Ok, but if i use this:

> -A PREROUTING -p tcp -j QUEUE
> -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

> And in the program:

> ipq_set_verdict(h, m->packet_id,NF_ACCEPT, 0, NULL);

> the packet not going to second rule(REDIRECT)

-A FORWARD -p tcp -j QUEUE
or
-t nat -p tcp -j QUEUE

this right by iptables, but not work



-- 
Best regards,
 Meg                          mailto:root@server.titansoft.ru

REDIRECT

[r00t]

Hi all,
>> How to i make by libipq  this rule:
>> -j REDIRECT --to-ports 3128 ?

>You don't.
>REDIRECT or other NAT related operations must be done in the kernel.

Ok, but if i use this:

-A PREROUTING -p tcp -j QUEUE
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

And in the program:

ipq_set_verdict(h, m->packet_id,NF_ACCEPT, 0, NULL);

the packet not going to second rule(REDIRECT)

Sorry to my english
Best regards, Meg

Re: REDIRECT

[Henrik Nordstrom]

On Mon, 13 Dec 2004, r00t wrote:

> How to i make by libipq  this rule:
>
> -j REDIRECT --to-ports 3128 ?

You don't.

REDIRECT or other NAT related operations must be done in the kernel.

Regards
Henrik

REDIRECT

[r00t]

Hi all,

How to i make by libipq  this rule:

-j REDIRECT --to-ports 3128 ?

-- 
With regards,
 Meg

RE: REDIRECT

[George Vieira]

[-- Attachment #1: Type: text/plain, Size: 2789 bytes --]

Please don't use the word "it" as "it" doesn't define the problem.
 
You have 3 networks (192.168.1.0/24,10.0.0.X,172.16.15.X), are all the default gateways been defined?
Have you done a tcpdump and log packets to determine where it's getting stuck?
 
Your problem is most likely that Server1 either doesn't have routes for those networks (since your not using MASQUERADE) or you have DROP rules which aren't shown on this email.
Are all the default policies ACCEPT or DROP or what?

Thanks,

 
____________________________________________
George Vieira
Citadel Computer Systems Pty Ltd Systems Manager georgev AT citadelcomputer DOT com DOT au 
Citadel Computer Systems Pty Ltd
Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698  <http://www.citadelcomputer.com.au/> http://www.citadelcomputer.com.au
 
 
-----Original Message-----
From: Juliano Murlick [mailto:jmurlick@sicredi.com.br]
Sent: Friday, August 08, 2003 3:38 AM
To: netfilter@lists.netfilter.org
Subject: REDIRECT
Importance: High


Hello All,
I wanna rediect all conections from 192.168.1.0/24 network to a 10.0.0.2 server on 80 port for a 172.65.15.11 server, also on  80 port,  for that, i did some things: 
 
1 - All rules/iptables is on route 1;
2 - The route 2 don't filter any packet, just route, i can ping from a client machine (192.168.1.25) to the both server and connect to a 80 port on both server, and then, i don't have any problem of routing. When a read the rules i can't connect any more on server 10.0.0.2, just direct to a server 172.16.15.11;
3 - My rules on iptables are:
 
    iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 10.0.0.2--dport 80 -j ACCEPT
    iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 172.16.15.11--dport 80 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp --sport 1024:65535 -d 10.0.0.2 --dport 80 -j DNAT --to 172.16.15.11:80

 
 
                                                         (Server 1)
                                                        +----------+
      (Client)           ( Linux - Router 1)       |----| 10.0.0.2 |
 +---------------+    +-----------------------+    |    +----------+
 | 192.168.1.25  |----|192.168.1.1 / 10.0.0.1 |----|                     
 +---------------+    +-----------------------+    |          (Route 2)                (Server 2)
                                                   |    +----------------------+    +--------------+
                                                   |----|10.0.0.3 / 172.16.15.1|----| 172.16.15.11 |
                                                        +----------------------+    +--------------+
 
 
But it doesn't working ... anyone has any idea ??? 
 
Thanks in advance!
 
Att,
Juliano Murlick
 

[-- Attachment #2: Type: text/html, Size: 12186 bytes --]

REDIRECT

[Juliano Murlick]

[-- Attachment #1: Type: text/plain, Size: 1708 bytes --]

Hello All,
I wanna rediect all conections from 192.168.1.0/24 network to a 10.0.0.2
server on 80 port for a 172.65.15.11 server, also on  80 port,  for that, i
did some things: 
 
1 - All rules/iptables is on route 1;
2 - The route 2 don't filter any packet, just route, i can ping from a
client machine (192.168.1.25) to the both server and connect to a 80 port on
both server, and then, i don't have any problem of routing. When a read the
rules i can't connect any more on server 10.0.0.2, just direct to a server
172.16.15.11;
3 - My rules on iptables are:
 
    iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d
10.0.0.2--dport 80 -j ACCEPT
    iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d
172.16.15.11--dport 80 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp --sport 1024:65535 -d 10.0.0.2
--dport 80 -j DNAT --to 172.16.15.11:80

 
 
                                                         (Server 1)
                                                        +----------+
      (Client)           ( Linux - Router 1)       |----| 10.0.0.2 |
 +---------------+    +-----------------------+    |    +----------+
 | 192.168.1.25  |----|192.168.1.1 / 10.0.0.1 |----|                     
 +---------------+    +-----------------------+    |          (Route 2)
(Server 2)
                                                   |
+----------------------+    +--------------+
                                                   |----|10.0.0.3 /
172.16.15.1|----| 172.16.15.11 |
 
+----------------------+    +--------------+
 
 
But it doesn't working ... anyone has any idea ??? 
 
Thanks in advance!
 
Att,
Juliano Murlick
 

[-- Attachment #2: Type: text/html, Size: 7869 bytes --]