dout in iptable redirecting http traffic?

Santoshkb · 09-17-2007, 01:28 AM

Hi,
in my project i need to redirect all requets from browser to http port 8080(i have test page)

i did,
iptables -t nat -A PREROUTING -m mac --mac-source 00:78:21:56:09:67 --dport 80 -j REDIRECT --to-port 8080

yes this wrks fine if i acess gatekeeper. ie 192.168.0.215 -> will be redirested to port 8080 on 192.168.0.215 , fine

but requrement say if we wanna acess ex.www.google.com from browser should also redirect to port 8080

wondering wheather i need to handle any iptable -t filter tables , though its new for me!
awaiting ur technicall expertise!

thanks in advance

win32sux · 09-17-2007, 02:14 AM

Do you have the client configured to use 192.168.0.215 as its default gateway?

Are you able to ping google.com from the client?

Santoshkb · 09-17-2007, 04:05 AM

Quote:

Originally Posted by win32sux

Do you have the client configured to use 192.168.0.215 as its default gateway?

Are you able to ping google.com from the client?

yes dhcp server runs in 0.215 , and clients ip are sassigned with default g/w as 0.215 in my case client is 0.224
client cant ping to google.com in my test scenario,
requirement is any acess thru browser has to be redirected to gatekeeper port 8080

win32sux · 09-17-2007, 05:34 AM

Well, with the info you've posted so far, I can't see any obvious reason why it wouldn't work. What happens when you try to access google.com with the browser? Do you get some sort of error?

EDIT: I just checked the iptables manual and it says that you should specify "-p TCP" in your rule. I'd also take it a step further and specify the incoming interface.

Code:

   REDIRECT
       This  target is only valid in the nat table, in the PREROUTING and OUT‐
       PUT chains, and user-defined chains which are only  called  from  those
       chains.   It redirects the packet to the machine itself by changing the
       destination IP  to  the  primary  address  of  the  incoming  interface
       (locally-generated  packets  are  mapped to the 127.0.0.1 address).  It
       takes one option:

       --to-ports port[-port]
              This specifies a destination port or  range  of  ports  to  use:
              without  this,  the  destination port is never altered.  This is
              only valid if the rule also specifies -p tcp or -p udp.

rossonieri#1 · 09-17-2007, 08:04 AM

Quote:

Originally Posted by Santoshkb

yes dhcp server runs in 0.215 , and clients ip are sassigned with default g/w as 0.215 in my case client is 0.224
client cant ping to google.com in my test scenario,
requirement is any acess thru browser has to be redirected to gatekeeper port 8080

hi,

have you done NAT?
do you have any DROP statement in the FW regarding ping?
ip_forwarding checked?

pls check again your redirection statement :

why dont you use a simple one for testing purpose

iptables -t nat -I PREROUTING -i $LANIF -p tcp --dport <port> -j REDIRECT --to <dest

ort>

HTH.

Santoshkb · 09-17-2007, 09:55 AM

Quote:

Originally Posted by rossonieri#1

hi,

have you done NAT?
do you have any DROP statement in the FW regarding ping?
ip_forwarding checked?

pls check again your redirection statement :

why dont you use a simple one for testing purpose

iptables -t nat -I PREROUTING -i $LANIF -p tcp --dport <port> -j REDIRECT --to <dest

ort>

HTH.

thanku for sugestions.. but still unchanged.

yes -p tcp had specified, iptable -t nat -L contains only the rule i have mentioned.

redirection is to be done based on mac id of client.

current situation,
when i browse ex. test.com from 192.168.0.224(client)
pop ups error box "internet explorer cant open this page"

requirement ,the configuration should to be done in gatekeeper server,
and cannot be done in client.

win32sux · 09-17-2007, 10:12 AM

What is "gatekeeper"? Do you have a link?

Whatever it is, it will need to be able to handle the redirected packets in a fashion similar to a transparent/intercepting proxy. If the daemon you have listening on port 8080 doesn't know how to handle these redirected packets, it won't work right. My guess is that the redirection is working fine, but whatever is listening on 8080 isn't set up right. This would explain why it works OK if you try to connect *directly* to the gateway/firewall.

EDIT: Also, what DNS servers is the client configured to use? One on the gateway/firewall box? Or one on the other side (provided by your ISP, for example)? I'm trying to determine whether your Internet Explorer is having DNS lookup problems.

rossonieri#1 · 09-17-2007, 01:28 PM

Quote:

Originally Posted by Santoshkb

yes dhcp server runs in 0.215 , and clients ip are sassigned with default g/w as 0.215 in my case client is 0.224
client cant ping to google.com in my test scenario,
requirement is any acess thru browser has to be redirected to gatekeeper port 8080

mmm.. have you specify which DNS server to use?
all proxy software (such as squid etc) set yet?