LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   dout in iptable redirecting http traffic? (http://www.linuxquestions.org/questions/linux-networking-3/dout-in-iptable-redirecting-http-traffic-585212/)

Santoshkb 09-17-2007 02:28 AM

dout in iptable redirecting http traffic?
 
Hi,
in my project i need to redirect all requets from browser to http port 8080(i have test page)

i did,
iptables -t nat -A PREROUTING -m mac --mac-source 00:78:21:56:09:67 --dport 80 -j REDIRECT --to-port 8080

yes this wrks fine if i acess gatekeeper. ie 192.168.0.215 -> will be redirested to port 8080 on 192.168.0.215 , fine

but requrement say if we wanna acess ex.www.google.com from browser should also redirect to port 8080


wondering wheather i need to handle any iptable -t filter tables , though its new for me!
awaiting ur technicall expertise!

thanks in advance

win32sux 09-17-2007 03:14 AM

Do you have the client configured to use 192.168.0.215 as its default gateway?

Are you able to ping google.com from the client?

Santoshkb 09-17-2007 05:05 AM

Quote:

Originally Posted by win32sux (Post 2894303)
Do you have the client configured to use 192.168.0.215 as its default gateway?

Are you able to ping google.com from the client?

yes dhcp server runs in 0.215 , and clients ip are sassigned with default g/w as 0.215 in my case client is 0.224
client cant ping to google.com in my test scenario,
requirement is any acess thru browser has to be redirected to gatekeeper port 8080

win32sux 09-17-2007 06:34 AM

Well, with the info you've posted so far, I can't see any obvious reason why it wouldn't work. What happens when you try to access google.com with the browser? Do you get some sort of error?

EDIT: I just checked the iptables manual and it says that you should specify "-p TCP" in your rule. I'd also take it a step further and specify the incoming interface.
Code:

  REDIRECT
      This  target is only valid in the nat table, in the PREROUTING and OUT‐
      PUT chains, and user-defined chains which are only  called  from  those
      chains.  It redirects the packet to the machine itself by changing the
      destination IP  to  the  primary  address  of  the  incoming  interface
      (locally-generated  packets  are  mapped to the 127.0.0.1 address).  It
      takes one option:

      --to-ports port[-port]
              This specifies a destination port or  range  of  ports  to  use:
              without  this,  the  destination port is never altered.  This is
              only valid if the rule also specifies -p tcp or -p udp
.


rossonieri#1 09-17-2007 09:04 AM

Quote:

Originally Posted by Santoshkb (Post 2894376)
yes dhcp server runs in 0.215 , and clients ip are sassigned with default g/w as 0.215 in my case client is 0.224
client cant ping to google.com in my test scenario,
requirement is any acess thru browser has to be redirected to gatekeeper port 8080

hi,

have you done NAT?
do you have any DROP statement in the FW regarding ping?
ip_forwarding checked?

pls check again your redirection statement :

why dont you use a simple one for testing purpose

iptables -t nat -I PREROUTING -i $LANIF -p tcp --dport <port> -j REDIRECT --to <dest:port>

HTH.

Santoshkb 09-17-2007 10:55 AM

Quote:

Originally Posted by rossonieri#1 (Post 2894521)
hi,

have you done NAT?
do you have any DROP statement in the FW regarding ping?
ip_forwarding checked?

pls check again your redirection statement :

why dont you use a simple one for testing purpose

iptables -t nat -I PREROUTING -i $LANIF -p tcp --dport <port> -j REDIRECT --to <dest:port>

HTH.

thanku for sugestions.. but still unchanged.

yes -p tcp had specified, iptable -t nat -L contains only the rule i have mentioned.

redirection is to be done based on mac id of client.

current situation,
when i browse ex. test.com from 192.168.0.224(client)
pop ups error box "internet explorer cant open this page"


requirement ,the configuration should to be done in gatekeeper server,
and cannot be done in client.

win32sux 09-17-2007 11:12 AM

What is "gatekeeper"? Do you have a link?

Whatever it is, it will need to be able to handle the redirected packets in a fashion similar to a transparent/intercepting proxy. If the daemon you have listening on port 8080 doesn't know how to handle these redirected packets, it won't work right. My guess is that the redirection is working fine, but whatever is listening on 8080 isn't set up right. This would explain why it works OK if you try to connect *directly* to the gateway/firewall.

EDIT: Also, what DNS servers is the client configured to use? One on the gateway/firewall box? Or one on the other side (provided by your ISP, for example)? I'm trying to determine whether your Internet Explorer is having DNS lookup problems.

rossonieri#1 09-17-2007 02:28 PM

Quote:

Originally Posted by Santoshkb (Post 2894376)
yes dhcp server runs in 0.215 , and clients ip are sassigned with default g/w as 0.215 in my case client is 0.224
client cant ping to google.com in my test scenario,
requirement is any acess thru browser has to be redirected to gatekeeper port 8080

mmm.. have you specify which DNS server to use?
all proxy software (such as squid etc) set yet?


All times are GMT -5. The time now is 09:38 PM.