Iptables to change the destination IP address of facebook to google.com
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Iptables to change the destination IP address of facebook to google.com
I am trying to do the post-routing, where I will change the destination IP. I did the following to get the IP address of the
facebook
# host www.facebook.com www.facebook.com is an alias for star.c10r.facebook.com.
star.c10r.facebook.com has address 31.13.79.65
star.c10r.facebook.com has IPv6 address 2a03:2880:f002:201:face:b00c:0:1
Now, I want whenever the user in my pc tries to access www.facebook.com, the google.com should be connected instead.
Here, I am trying to the destination NAtting. However, I don't see the results. I can open facebook as well as google.
I am trying to do the post-routing, where I will change the destination IP.
You mean pre-routing NAT.
Quote:
Originally Posted by shreyasjoshi15@gmail.com
I did the following to get the IP address of the
facebook
# host www.facebook.com www.facebook.com is an alias for star.c10r.facebook.com.
star.c10r.facebook.com has address 31.13.79.65
star.c10r.facebook.com has IPv6 address 2a03:2880:f002:201:face:b00c:0:1
That is only one of several addresses "www.facebook.com" will resolve to. Most web sites that see heavy traffic use DNS round-robin balancing, often combined with region-specific DNS resolution (the hostname will resolve to a different IP address depending on the client IP).
Quote:
Originally Posted by shreyasjoshi15@gmail.com
Now, I want whenever the user in my pc tries to access www.facebook.com, the google.com should be connected instead.
Here, I am trying to the destination NAtting. However, I don't see the results. I can open facebook as well as google.
Please correct me here, what is the problem with my rule?
Besides the fact that you've only NATed one address out of many used by Facebook, you can't really redirect web requests like that.
Even if you manage to successfully NAT all the addresses involved, the client web browser will still send the following request to the web server:
Code:
GET / HTTP 1.1
host: www.facebook.com
[ other headers may follow ]
Many web servers will return an error message if you ask for a domain the server isn't configured to serve, or it may serve a page from the "default virtual host", which may be an entirely different site than the one you wished to redirect the clients to.
It seems Google's web server will respond to requests for non-hosted sites with a "302" redirect to "http://www.google.com/". This is by no means typical behaviour for a web server, but it means that in this particular case an IP redirect should in fact work.
If you want to reliably redirect web traffic in general, you'll have to use a proxy server.
Then, what is the usage of Pre-routing DNAT? I am trying to make a practical example on Pre-routing DNAT. I thought this example will server, but as you told it will not work here. I actually made a firewall for one of the adult website, whenever a user tries to acess it , it gets rejected. I used dport, sport. Can't I combine dport, sport for http, and https with the pre-routing DNAT? I tried something like that, but it fails.
also, I added sport for the rules. It didn't work. I understand your DNS concern, but I am changing the destination IP. This is done pre-routing. So, before the packet leaves my pc, the destination ip is changed to some other ip. How, the DNS resolution into the picture here.
Last edited by shreyasjoshi15@gmail.com; 03-30-2014 at 07:42 AM.
I didn't say destination NAT doesn't work. It most certainly does.
What I did say, was:
Redirecting a single IP address may not be sufficient to handle all traffic to a given hostname, as a hostname can resolve to multiple IP adresses.
For HTTP and HTTPS, a reference to the hostname is included in the application-layer traffic (which is why virtual hosting works in the first place), so simply redirecting that traffic to a different server may yield unpredictable results, including error messages.
Using iptables to do that might not be the best approach. The /etc/hosts file could be used to do local DNS and assign googles IP address to facebook. But if google and facebook are hosted at the same IP address, you'd still get facebook. You could swap the destination ip address, but facebook has many ip addresses, which would take many rules and need maintenance to stay current. You can setup a webpage with rules to redirect to google, via html content or .htaccess on the webserver. Or a variety of other methods and products designed for this type of thing.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
