Hi all,

I have successfully configured a linux bridge that can filter IP traffic to the internal webserver.

The iptables rule looks like this:

iptables - nat -A PREROUTING -p tcp --dport 80:443 -s 192.168.1.1 -j REDIRECT

What this does is to redirect users based on their IP to the INDEX page of the internal web server of the linux box and it is working perfectly.

So my question is: Does anyone know the iptables rule that will permit the redirection of IP traffic to other web pages on the web server (apart from the index page) of the linux box. If yes, kindly assist me with it.

Thanks

That sounds like nonsense to me. You can't redirect *IP* traffic (which is what *ip*tables does) to a *web page*. You can redirect requests to another IP, maybe even another port, but not to a particular webpage.

What you want is a real HTTP proxy that is capable of substituting HTTP content... I would suggest squid but it's not easy to set up if you're not sure of what you're doing. If you don't want to specify a proxy setting on the client machines, you'll probably want to look at transparent proxying, which would fit nicely into your redirect rules - you literally redirect ALL HTTP traffic to the IP of your filtering machine, where squid runs and can play about with the individual URL's or HTTP headers if it wants.

I use this setup all the time - I use bridge + netfilter to put in a firewall machine, then a redirect rule to throw all HTTP from un-managed machines to a special holding page hosted by Apache on the same machine. Additionally, all HTTP traffic from managed machines is redirected through a transparent squid proxy which can do fancy stuff like rewriting the URL's, changing the content etc.

ledow,

I guess u missed the part that says my setup is working perfectly. If u know u dont have the answer to my question, u should have kept ur opinion to ur self.

Ignoring the absolute arrogance, no I didn't miss this. Your bridge is working properly, but you asked a question:

which the ENTIRETY of my post refers to. You can redirect IP traffic to any IP/port that you like but you cannot redirect IP traffic to a different *web page*, they are two seperate things. By web page you are implying full URL (e.g. http://localserver/directory/file.html) which you can't do without modifying the HTTP packets themselves (which operate on an entirely seperate layer to the IP packets... thus IP redirection isn't the same thing AT ALL).

I can point FTP packets at port 80 on 1.1.1.1 or POP3 packets at port 0 on 192.168.10.1, it makes no difference to the actual *protocol*. The protocol that you are using here (HTTP) is not affected by iptables rules... it just ends up going to a different IP/port, NOT a different webpage (i.e. URL, which is specified *within* the HTTP packets). In order to redirect traffic to a different *webpage*, you need to do some serious layer violations (e.g. using string matching on packets), configure your HTTP server accordingly or you need to use an intermediate proxy (in your case a transparent one, most probably) such as squid - NONE of which involves iptables or bridges at all... because I saw that you already had that part set up.

I was actually trying to help you, and to help understand what you were actually asking for and to point you in the right direction. But as far as I'm concerned, you can sod right off now. That's probably why no one else bothered to post after me, either.

P.S. I do this for a living and set up machines to do exactly this thing dozens of times a year, with full HTTP redirection based on a myriad of criteria (e.g. if your MAC/IP isn't recognised, you go to one page on a HTTP server, if your MAC/IP is blocked you go to another, if your MAC/IP is allowed you get full, transparent Internet access etc., if your MAC/IP belongs to a certain room within a school, you get filtered Internet access, all through the same single machine. I was in the middle of cleaning up the scripts I use to do this to add on this post when I read your reply and then thought... bugger it.

ledow,

I have it working already...thanks for all ur help.