LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 01-13-2010, 08:56 AM   #1
winairmvs
Member
 
Registered: Aug 2009
Posts: 42

Rep: Reputation: 16
Using Squid/Iptables to redirect inbound web traffic to url/IP


We host a web server in which we are hoping to implement some form of traffic redirection based on source IP address, and I am wondering whether the squid proxy built on iptables would be capable of managing this task? Essentially we are trying to redirect traffic from specific set of source IP ranges to a "Your IP has been restricted" type of page at a different IP/FQDN.

Last edited by winairmvs; 01-13-2010 at 08:59 AM.
 
Old 01-13-2010, 09:50 AM   #2
sparc86
Member
 
Registered: Jul 2006
Location: Joinville, Southern Brazil
Distribution: Debian, CentOS
Posts: 296

Rep: Reputation: 31
I don't see why you could not do it with iptables. :-)

You could just get a selected range of IPs and tell iptables to redirect all the requests on the port 80 to a specific local website where they will face this message "Your IP has been restricted".

You could also have a transparent proxy on your network and restrict the traffic at squid directly.

Well, is that what you need? I hope I'm being helpful. In any case, just ask.
 
Old 01-13-2010, 11:41 AM   #3
winairmvs
Member
 
Registered: Aug 2009
Posts: 42

Original Poster
Rep: Reputation: 16
I was actually thinking the same thing, something that looked like:

iptables -A FORWARD -s ip.of.source.machine -d ip.of.destination.machine -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

But the idea of my web server becoming a layer 3 router is not the direction I want to go. I think it would be advantageous to put a load balancer such a squid in front of the system so I can get as granular as I need on policy, while taking advantage of the reverse proxy caching capabilities. The only problem I can see is how squid might affect ssl traffic.

Another consideration is the proxy, which I have heard Varnish is a much better proxy server than squid in terms of performance. I know nothing else about it other than a few graphs showing it beat out squid in requests per second, etc.

The last option I have been playing with is building a load balancer with the open source "Pen" from siag nu which is a fantastic little piece of software. It allows load balancing based on TCP port and has tons of options on how to distribute traffic. I would enable the firewall to scan for traffic from the source IP ranges and forward the traffic before it reached the load balancing software, and from there it could pass the "good" traffic to my web servers.

Last edited by winairmvs; 01-13-2010 at 12:03 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
squid redirect url to different proxy aeby Linux - Software 0 08-13-2009 08:37 AM
Easiest way to redirect external web traffic to VMWare web host on same machine? mattp52 Linux - Networking 4 07-16-2009 02:47 PM
[HELP] redirect traffic to spesific port based on Traffic Content using iptables summersgone Linux - Server 2 06-22-2009 11:26 AM
Inbound web URL filtering anoop_sweet Linux - Security 4 12-11-2005 11:45 PM
iptables : how do I block inbound traffic from one ip address only? Apollo77 Linux - Security 7 03-22-2004 10:22 AM


All times are GMT -5. The time now is 05:20 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration