LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-07-2014, 04:52 AM   #1
bilbonix
LQ Newbie
 
Registered: Nov 2012
Posts: 21

Rep: Reputation: Disabled
iptables help


I have the below script running on my router to force client to use router dns and to direct certain traffic to a proxy I have running on the router. Do the rules look okay?

Code:
#!/bin/sh
iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `$
iptables -t nat -A PREROUTING -i br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s 192.168.0.1 -p tcp -d 216.239.32.20 --dport 80 -j DNAT --to 192.168.0.1:8118
iptables -t nat -A PREROUTING -i br0 -s 192.168.0.1 -p tcp -d bing.com --dport 80 -j DNAT --to 192.168.0.1:8118
iptables -t nat -A PREROUTING -i br0 -s 192.168.0.1 -p tcp -d uk.search.yahoo.com --dport 80 -j DNAT --to 192.168.0.1:8118
iptables -t nat -A PREROUTING -i br0 -s 192.168.0.1 -p tcp -d youtube.com --dport 80 -j DNAT --to 192.168.0.1:8118
iptables -t nat -A PREROUTING -i br0 -s 192.168.0.1 -p tcp -d m.youtube.com --dport 80 -j DNAT --to 192.168.0.1:8118
iptables -t nat -I POSTROUTING -o br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d 192.168.0.1 -p tcp -j SNAT --to `nvram get lan_ipaddr`
iptables -I FORWARD -i br0 -o br0 -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d 192.168.0.1 -p tcp --dport 8118 -j ACCEPT
 
Old 02-11-2014, 05:55 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603
0) These days it's rare for often accessed services to just have a single IP address, 1) bypassing "uk.search.yahoo.com" isn't trivial but it isn't difficult finding another country code either and 2) what if users use the IP address (pick any o%62s%63ur%65 notation a browser understands ;-p) or 3) use IPv6? So either get all IPv{4,6} addresses / ranges for the targets and use a ipset (easier to check and manage) for the destination filter or push everything "^.:80" to it and let the proxy handle the filtering?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables can't initialize iptables table `filter': Bad file descriptor donalbane Linux - Networking 2 08-17-2011 09:36 AM
iptables error in android: iptables-save and iptables-restore not working preetb123 Linux - Mobile 5 04-11-2011 02:56 PM
On what basis CHAIN integer values are generated in IPtables under iptables file? haariseshu Linux - Server 3 11-05-2009 05:25 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration