using IPtables to filter based off url

isaaclw · 10-08-2010, 01:26 PM

I have a very simple set up.

With Network Manager I can have my laptop act as a router (sharing all connections).

I also have apt-cacher-ng as a debian package cacher.

I would like to set up iptables to filter only the urls that are meant for a debian package cacher.

For example:
I could use a "forward all" rule:

Code:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3142

Except then I would get a bunch of error pages every time I tried to do normal navigating.

My question (again) is: Can iptables handle forwarding only on a specific url? If so how?
Or is there another solution? (preferably without full fledged software like squid)

carltm · 10-08-2010, 06:26 PM

Even if iptables could be part of the solution do this, it isn't the right tool
for the job. I say that because it really works at the packet level with MAC
addresses, IP addresses, and protocols like TCP, UDP and ICMP. It isn't designed
to work at the HTTP layer.

Of course an HTTP proxy is the right tool for what you want to do. I have always
used squid, so I don't even know if there's something easier to configure for a
basic setup.

Question...are you just trying to redirect requests to your own mirror? If so,
the "right" way is to identify your mirror in the list of sources. You could
also redirect any requests to a debian server to your mirror using dns or iptables,
however this would require manual updates and it's just a matter of time before
it would fail.

Your iptables example shows a redirect to another port. Do you mind if I ask what
you're trying to do?

isaaclw · 10-08-2010, 11:53 PM

Quote:

Originally Posted by carltm

Even if iptables could be part of the solution do this, it isn't the right tool for the job. I say that because it really works at the packet level with MAC addresses, IP addresses, and protocols like TCP, UDP and ICMP. It isn't designed to work at the HTTP layer.

That makes sense. I suspected that iptables might not work.

Quote:

Originally Posted by carltm

Of course an HTTP proxy is the right tool for what you want to do. I have always used squid, so I don't even know if there's something easier to configure for a basic setup.

Question...are you just trying to redirect requests to your own mirror? If so, the "right" way is to identify your mirror in the list of sources. You could also redirect any requests to a debian server to your mirror using dns or iptables, however this would require manual updates and it's just a matter of time before it would fail.

Your iptables example shows a redirect to another port. Do you mind if I ask what
you're trying to do?

Ok. Just to explain a bit.
I have a few labs set up around, each one using a squid and apt-cacher-ng server. These computers are installed in our office and taken out.
In these labs, squid is a transparent proxy, and is used to redirect traffic to the apt-cacher-ng port (if neccessary). That line of code is what's used to forward http to the port 3128 (I simply modified it to 3142, the apt-cacher-ng port).

If, however, I need to do an "on-site" install, I'd like to be able to do everything I need with my laptop. I already have apt-cacher-ng installed. While I could manually set the proxy settings in "/etc/apt/apt.conf.d" each time, I'd like to do it a bit more transparent.
I realize that squid probably wouldn't take up much space and is probably the best solution, but I was thinking of trying something a bit... lighter weight?

Does that make sense now?

mago · 10-10-2010, 10:55 PM

The other way to go is to setup a local DNS and set those records there.