IPtables configuration to redirect IP addresses

agiltinan · 01-10-2013, 05:23 AM

Hi All,

I was going to use apache level restrictions on a certain IP range (port 80) to block countries from my website (debian server) but decided to try it through IPTables instead.
The only thing is i am blocking a large number of countries but not necessarily for security purposes. Mostly this is what the project requires.
However i don’t want potential customers (we will be opening it up to international later in the year) to get a ‘No connectivity’ message.

Ideally i’d like to redirect (forward) all those blocked incoming IP’s to another IP (which will have a single static page saying “thanks for your interest. at this time we are open in X country but..etc..”).
This second IP is on a different machine.
I’ve had a look around but i’m not sure if IPtables can do this for me. Most scripts i’ve seen can forward (instead of DROP) ALL port 80 packets to another IP but i only want the blocked IP’s forwarded.

So in essence i'm looking to do:
IPrange1 -> access granted
IPrange2 -> redirect to IP_address_2:80

A typical IPTable entry i am using looks like:
-A INPUT -s xxx.xxx.xxx.xxx/x -p tcp -m tcp --dport 80 -j DROP
This works very well but as i said it blocks (obviously) rather than redirects.

Any suggestions would be welcomed.
Do i go with apache/.htaccess instead?

thanks all
agiltinan

bijo505 · 01-10-2013, 05:59 AM

Hi

I think this is similar to the following thread

http://www.linuxquestions.org/questi...ne-4175443466/

In your router host
iptables -t nat -I PREROUTING 1 -p tcp -s <Your network> --dport 80 -j DNAT --to-destination 192.168.0.1:80 # You are giving access
iptables -t nat -I PREROUTING 2 -p tcp -s ! <NOT your network> --dport 80 -j DNAT --to-destination 192.168.0.2:80 # Remote host

PS:- Please note I haven't tested this, but I hope this will work, kindly let me know the status.
--
Thanks,
Bijo

agiltinan · 01-10-2013, 06:54 AM

Hi Bijo,

thanks for the reply.

I tested that but no luck. The Redirect isn't pushing the blocked IP to the new server address. Its still behaving like a DROP filter. I have taken all my custom filters out of IPTables so the on;y entries in there will be for this testing purpose. i also performed a iptables flush before adding the NAT rule.
My iptables now looks like:

# Generated by iptables-save v1.4.8 on Thu Jan 10 12:42:00 2013
*mangle
:PREROUTING ACCEPT [289:39013]
:INPUT ACCEPT [282:38657]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [227:29677]
:POSTROUTING ACCEPT [227:29677]
COMMIT
# Completed on Thu Jan 10 12:42:00 2013
# Generated by iptables-save v1.4.8 on Thu Jan 10 12:42:00 2013
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:76]
-A PREROUTING -s xxx.xxx.xxx.xxx/32 -p tcp --dport 80 -j DNAT --to-destination yyy.yyy.yyy.yyy:80
COMMIT
# Completed on Thu Jan 10 12:42:00 2013
# Generated by iptables-save v1.4.8 on Thu Jan 10 12:42:00 2013
*filter
:INPUT ACCEPT [282:38657]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [227:29677]
COMMIT

I came across that other post previously and tried it but i presumed i was doing something wrong, hence the post here.
Do i need to do any FORWARD or POSTROUTING or anything?

thanks,
agiltinan

bijo505 · 01-10-2013, 11:05 AM

Hi,

A few questions from my side.
Have you configured the box as a router? if no configure the host as a router, the following will help you to configure the host as a router.
1) If you are not enabled IP-forwading, enable it.
This will help you to enable nating http://www.howtoforge.com/nat_iptables

2) if you are not enabled NATing, enable nating, same URL will help you (Before that save the current config using iptables-save, Ie iptables-save > /tmp/iptables-conf-date)

a) Then check the current config using

Code:

iptables -t nat -L -n --line-number (This will list the nat table entry's with line number)

b) Flush the current rules in the filter and nat table using -F

Code:

iptables -t filter -F
iptables -t nat -F

c) Then forwarding and Masquerade

Code:

iptables -t nat -I POSTROUTING 1 -o eth0 -j MASQUERADE  # eth0 is having the public ip and eth1 is in private network
iptables -t filter -I FORWARD 1 -i eth1 -j ACCEPT

d) After that enable logging in the PREROUTING table... so you will get better idea about what is happening in the host

Code:

iptable -t nat -I PREROUTING 1 -j LOG --log-level 4
iptables -t nat -I PREROUTING 2 -p tcp -s <Your network> --dport 80 -j DNAT --to-destination 192.168.0.1:80 # You are giving access
iptables -t nat -I PREROUTING 3 -p tcp -s ! <NOT your network> --dport 80 -j DNAT --to-destination 192.168.0.2:80 # Remote host

PS:- I hope the default policy of all chains are ACCEPT.
--
Thanks,
Bijo

unSpawn · 01-10-2013, 11:27 AM

...additionally to address a tiny issue:

Quote:

Originally Posted by agiltinan

A typical IPTable entry i am using looks like:
-A INPUT -s xxx.xxx.xxx.xxx/x -p tcp -m tcp --dport 80 -j DROP

Best not use do bulk filtering like that: use ipset instead. Ipset allows you to easily load and efficiently manage all IP ranges and performance-wise doesn't clog up the table with a rule for each range but requires just one --to-destination redirection rule.

agiltinan · 01-10-2013, 11:30 AM

Hi Bijo,

brilliant. thanks for the suggestions. got it working.

net.ipv4.ip_forward=0.
so my IP-forwarding wasn't enabled.

changed this and re-did the NATing and its working.

thanks for all the help.
much appreciated

agiltinan

agiltinan · 01-10-2013, 11:31 AM

ok unSpawn.

Ill look into using IPset if its more efficient.

thanks for the tip.

agiltinan

bijo505 · 01-10-2013, 11:38 AM

Quote:

Originally Posted by agiltinan

Hi Bijo,

brilliant. thanks for the suggestions. got it working.

net.ipv4.ip_forward=0.
so my IP-forwarding wasn't enabled.

changed this and re-did the NATing and its working.

thanks for all the help.
much appreciated

agiltinan

Thanks and you are welcome :-)
--
Bijo