LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Using Squid/Iptables to redirect inbound web traffic to url/IP (https://www.linuxquestions.org/questions/linux-software-2/using-squid-iptables-to-redirect-inbound-web-traffic-to-url-ip-781952/)

winairmvs 01-13-2010 08:56 AM
Using Squid/Iptables to redirect inbound web traffic to url/IP
 
We host a web server in which we are hoping to implement some form of traffic redirection based on source IP address, and I am wondering whether the squid proxy built on iptables would be capable of managing this task? Essentially we are trying to redirect traffic from specific set of source IP ranges to a "Your IP has been restricted" type of page at a different IP/FQDN.

sparc86 01-13-2010 09:50 AM
I don't see why you could not do it with iptables. :-)

You could just get a selected range of IPs and tell iptables to redirect all the requests on the port 80 to a specific local website where they will face this message "Your IP has been restricted".

You could also have a transparent proxy on your network and restrict the traffic at squid directly.

Well, is that what you need? I hope I'm being helpful. In any case, just ask.

winairmvs 01-13-2010 11:41 AM
I was actually thinking the same thing, something that looked like:

iptables -A FORWARD -s ip.of.source.machine -d ip.of.destination.machine -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

But the idea of my web server becoming a layer 3 router is not the direction I want to go. I think it would be advantageous to put a load balancer such a squid in front of the system so I can get as granular as I need on policy, while taking advantage of the reverse proxy caching capabilities. The only problem I can see is how squid might affect ssl traffic.

Another consideration is the proxy, which I have heard Varnish is a much better proxy server than squid in terms of performance. I know nothing else about it other than a few graphs showing it beat out squid in requests per second, etc.

The last option I have been playing with is building a load balancer with the open source "Pen" from siag nu which is a fantastic little piece of software. It allows load balancing based on TCP port and has tons of options on how to distribute traffic. I would enable the firewall to scan for traffic from the source IP ranges and forward the traffic before it reached the load balancing software, and from there it could pass the "good" traffic to my web servers.


All times are GMT -5. The time now is 04:29 PM.