After searching the forums with no matching results, I asking hear.
I want to redirect every browser request in destination port 80 to another port (for example 8080). all in the localhost.
My workplace is linux, and I want to use the iptables rules and python code server.
The rule I used is:
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080.
I also tried some other flags like specific ip source and server etc.
The server listening on port 8080 is:
#!/usr/bin/env python
import SimpleHTTPServer
import SocketServer
def redirect_factory():
class RedirectServer(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_GET(self):
self.send_response(301)
self.send_header('Location', 'www.IdontCare.IdontKnow')
self.end_headers()
return RedirectServer
redirectServer = redirect_factory()
handler = SocketServer.TCPServer(('', 8080), redirectServer)
print("serving at port %s" % 8080)
handler.serve_forever()
The problem is that it works well when I configure my browser in the connection settings (without adding the iptables rules) like this:
But when I use the iptables rules it says that it have a broken pipe, and the browser request didn't received at all in the server. So if I write in the URL in the browser www.google.com I can't see it with the self.path value.
EDIT:
Here is the iptables -t nat -nvL --line-numbers output:
the rule is working, but it not done what I suppose.
I play a little with the rules, and if I put one of the next rules I can see in the CNAME in the self.headers value.
the rules is (I can just choose one of them):
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 80
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1
If I not mistake, both of them done the same thing.
what am I do wrong ?
and how to make it work with iptables rules like the configuration of the browser?
Thanks!
Related
I am confused about situation in my NATed network. I start dnsmasq on router, with listen-address=192.168.100.1 and -p 5353 option for DNS port. Afterwards, i add iptables rule for hosts inside that network:
iptables -t nat -I PREROUTING -s 192.168.100.0/24 \
-d 192.168.100.1 -p udp --dport 53 -j REDIRECT --to-ports 5353
But this didn't work first time, since my INPUT policy is DROP: when i add this rule, everything starts to work:
iptables -I INPUT -p udp --dport 53 -d 127.0.0.53 -j ACCEPT
I discovered this address with help of -j LOG on my INPUT chain, where i saw packets dropped like SRC=127.0.0.1 DST=127.0.0.53 ..., when NATed host is trying to resolve hostname.
As i am writing automated script that generates correct netfilter rules for situation, i need to know from where this 127.0.0.53 could come from.
I see the same address in /etc/resolv.conf. But i don't understand who's routing this packet to this address when it is "redirected", if even close to understanding what happens.
systemd-resolved sets up a stub listener for dns requests locally on 127.0.0.53:53
try disabling it to proceed sudo systemctl disable systemd-resolved
I need to redirect particular outgoing connections (from any web-client on my system) to particular IP. Yes, it can be done by adding this line in /etc/hosts file:
123.456.789.012 www.mydomain.com
Is it possible to do such a redirection without editing of /etc/hosts? In fact, I need this redirection temporarily. Moreover, I cannot modify any configuration files on my system, so I should do such a redirection only via some utils in the command line. I've read about tsocks, but it can redirect outgoing connections to SOCKS server only from the particular application, not from any application.
So, is it possible?
Ok, I found a solution. We can use iptables for it. This rule redirects all outgoing requests via 80 port to 0.0.0.0:3010:
$ sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 0.0.0.0:3010
To delete this rule, just replace -A to -D:
$ sudo iptables -t nat -D OUTPUT -p tcp --dport 80 -j DNAT --to-destination 0.0.0.0:3010
If we want to redirect only particular requests via 80 port, we can use this command:
$ sudo iptables -t nat -A OUTPUT -p tcp -d google.com --dport 80 -j DNAT --to-destination 0.0.0.0:3010
In this case only requests to google.com will be redirected to 0.0.0.0:3010.
I'm working with an Ubuntu 12.04 LTS, 64 Bit server there I have used the following commands to send all http request on port 80 to port 8080
Commands:
cat /proc/sys/net/ipv4/ip_forward #returns 1
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
From there I wanted to proxy the requests based on (sub)domain to some other ports (i.e. 9000, 3000, 9615) using http-master. I'm having some problems getting this done and had it right once on a VPS on amazon aws where those ports where opened.
So what I'm asking is if it's necessary to open every port and how I can do that on the command line?
After some further research and experimentation I concluded that it's only necessary to open the port that we use as entry points. If we then route it with a proxy or even with NAT configuration to another PORT, the latter will be used only to "listen".
Background Info: I have rooted an android phone and installed droidwall to get access to iptables. The kernel version is 2.6.35.7-perf.
Objective: Test the efficiency of a proxy (on port 8080) from a comparison of the traffic flow with and without the proxy.
I am able to get a test without going through the proxy with the rules from here
Method: I have creating a test website on a single IP address. I am using an application that monitors how many packets/bytes have been transmitted and recieved by the phone.
Problem: Due to unknown background traffic, unwanted packets are being sent and recieved.
Solution: Use iptables to only allow a connection to one website so I can properly monitor the traffic.
How would I go about this?
Try the following:
iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4 -j REDIRECT --to-port 8080
iptables -A INPUT -p tcp -s 1.2.3.4 --dport 8080 -j ACCEPT
The first rule should redirect al traffic from 1.2.3.4 to the port 8080, while the second states to accept such packet.
Now you should set on DROP the default policy for INPUT so that every other packet is discarded:
iptables -P INPUT DROP
Be careful. This is a very restrictive rule.
So I have a CentOS server with Nginx and now want to run Nginx with PHP-FPM. By default it's configured to port 9000 but I'm going to use 9001. I need to know how to open port 9001 for loopback in my iptables. Which of the following are correct, are they the same, or both wrong? Any help will be appreciated, thanks :)
iptables -A INPUT -p tcp -s 127.0.0.0 --dport 9001 -j ACCEPT
or
iptables -A INPUT -i lo --dport 9001 -j ACCEPT
You shouldn't need to open the firewall to connect to localhost, as it shouldn't be firewalled anyway (as a general rule).
But I would suggest following the above advice to use sockets instead.
Edit /etc/php5/fpm/php5-fpm.conf and search for these two lines:
listen = /var/run/php5-fpm.sock
;listen = 127.0.0.1:9000
Comment out the port one and uncomment the sock one - restart php-fpm :)