Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
04-24-2014, 02:56 PM
|
#1
|
LQ Newbie
Registered: Aug 2009
Posts: 24
Rep:
|
Using iptables to route all outbound traffic to internal box
Hey guys,
I have been working on a personal project that requires HTTP traffic, destined for the WAN (on my ADSL router, 10.10.10.254), to be routed to an internal box (lets call it 10.10.10.1 /24, listening on port 8888). That box does some traffic monitoring and then will send it back to the ADSL router, sitting on 10.10.10.254.
If I dump this into the telnet session on my router (it runs a linux base, so it supports iptables), it doesn't seem to work.
iptables -t nat -A PREROUTING -i br0 -s ! 10.10.10.1 -d ! 10.10.10.1 -p tcp --dport 80 -j DNAT --to 10.10.10.1:8888
From what I can understand, that rule should route all HTTP traffic to 10.10.10.1:8888 and ignore any traffic that is originating from 10.10.10.1 (needed otherwise a routing loop would happen).
I would really appreciate any help, really stuck on this one for a couple days now
Thanks!
|
|
|
04-25-2014, 04:03 AM
|
#2
|
Member
Registered: May 2011
Location: Nottingham, UK
Distribution: Debian
Posts: 178
Rep:
|
You probably need a permission in the FORWARD chain. Other than that tcpdump is your friend, see where the traffic goes/doesn't go. Have your cleanup rules log and check your logs.
Code:
-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG
-A INPUT -j DROP
-A FORWARD -d 10.10.10.1 -p tcp --dport 8888 -j ACCEPT
-A FORWARD -m limit --limit 1/second --limit-burst 100 -j LOG
-A FORWARD -j DROP
|
|
|
04-25-2014, 05:02 PM
|
#3
|
LQ Newbie
Registered: Aug 2009
Posts: 24
Original Poster
Rep:
|
Quote:
Originally Posted by nikmit
You probably need a permission in the FORWARD chain. Other than that tcpdump is your friend, see where the traffic goes/doesn't go. Have your cleanup rules log and check your logs.
Code:
-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG
-A INPUT -j DROP
-A FORWARD -d 10.10.10.1 -p tcp --dport 8888 -j ACCEPT
-A FORWARD -m limit --limit 1/second --limit-burst 100 -j LOG
-A FORWARD -j DROP
|
Thanks for your response
I cant load tcpdump on my ADSL router. It runs basic linux but only a couple things are available (its not anything fancy, definitely no package manager in there) so no tcpdump. Could you explain what those iptable rules are doing? I am still pretty new to this.
Thanks 
|
|
|
04-25-2014, 05:53 PM
|
#4
|
Senior Member
Registered: Oct 2008
Distribution: Debian sid
Posts: 2,683
|
Is is a stock firmware on the router, or third party like openwrt , ddwrt , tomato?
Personally I use ópenWRT on a tplink n900
Not adsl, but shouldn't matter here.
I have privoxy running on the router, and used its web ui ( luci ) to add forward rules for http --> 127.0.0.1:8118 when !<routerip>
Basically it works and knocks out most anoying ads , and things , even on a smart tv wgich can't be configured to use a proxy.
I will be happy to provide detail on the openWRT config..
Edit
Actually, not 127.0.0.1
Code:
config redirect
option name 'Privoxy'
option target 'DNAT'
option proto 'tcp'
option src 'lan'
option src_ip '!<router ip>'
option src_dport '80'
option dest 'lan'
option dest_ip '<router ip>'
option dest_port '8118'
In /etc/config/firewall
OpenWRT , may need tweeking for external (from router) proxy
Last edited by Firerat; 04-25-2014 at 06:02 PM.
|
|
|
04-26-2014, 04:33 PM
|
#5
|
LQ Newbie
Registered: Aug 2009
Posts: 24
Original Poster
Rep:
|
Quote:
Originally Posted by Firerat
Is is a stock firmware on the router, or third party like openwrt , ddwrt , tomato?
|
Stock firmware, thats the biggest problem.
Since I want to replicate this process on most home ADSL routers (most accept telnet connectivity to a basic linux environment and iptables is always available in it), I don't really want a solution where a custom firmware needs to be loaded, even though I agree, it would be preferable.
Do you know how to accomplish this process using purely iptables?
I will try the solution displayed above, just been a hectic day. I would love some clarification on it though, don't quite understand what its doing, even though I did a little research. I am almost sure its a single line rule that needs to be added.
Thanks 
|
|
|
All times are GMT -5. The time now is 08:51 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|