I need to redirect particular outgoing connections (from any web-client on my system) to particular IP. Yes, it can be done by adding this line in /etc/hosts file:
123.456.789.012 www.mydomain.com
Is it possible to do such a redirection without editing of /etc/hosts? In fact, I need this redirection temporarily. Moreover, I cannot modify any configuration files on my system, so I should do such a redirection only via some utils in the command line. I've read about tsocks, but it can redirect outgoing connections to SOCKS server only from the particular application, not from any application.
So, is it possible?
Ok, I found a solution. We can use iptables for it. This rule redirects all outgoing requests via 80 port to 0.0.0.0:3010:
$ sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 0.0.0.0:3010
To delete this rule, just replace -A to -D:
$ sudo iptables -t nat -D OUTPUT -p tcp --dport 80 -j DNAT --to-destination 0.0.0.0:3010
If we want to redirect only particular requests via 80 port, we can use this command:
$ sudo iptables -t nat -A OUTPUT -p tcp -d google.com --dport 80 -j DNAT --to-destination 0.0.0.0:3010
In this case only requests to google.com will be redirected to 0.0.0.0:3010.
Related
I have network setup like this with external and internal network.
I have successfully got squid running with proxy for internal browser and now I want to set up as transparent but having some problem.
network
First, I did change "http_port 8080 intercept" but having trouble with setting up correct Iptables on the external server as the packet is not getting back to squid box.
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -0 lo -j ACCEPT
iptables -t nat -A POSTROUTING -o enpos3 (this is NAT) -j MASQUERADE
iptables -I INPUT -s 192.168.1.0/24 -p tcp --dport 8080 -j ACCEPT
iptables -t nat -A PREROUTING -i enp0s3 -p tcp --dport 80 -j DNAT --to-destination 10.10.1.254:8080
iptables -t nat -A PREROUTING -i enp0s8 -p tcp --dport 80 -j REDIRECT --to-port 8080
This is far as I got and internet works fine on internal pc but I'm not sure how to redirect http 80 packet to Squid box (10.10.1.254:8080)
Couple of things.
From the diagram it is not clear where is the Squid Box. Considering you are setting up a Transparent proxy it will be in between your internal network and WAN connection which I believe you might have taken care of. Please check
Considering this a dual homed box you need to set Default Gateway to point to your Squid Box WAN interface.
You do need Reverse Path Forwarding enabled.
Last but least IP packet forwarding enabled.
I have a website with subdomains for my clients (wildcard subdomain)
client1.test.com
client2.test.com
I want my clients to use their own domain If they want.
what kind of record needs to be added to point
client1.com => client1.test.com
shop.client1.com => client1.test.com
I´m using the free plan of cloudflare for www.test.com but I´m open to
change it if it can´t be done
CNAME records would work for that. You could also use A records to point to the same IP as test.com
You need modify the cname to redirect your client1 IP on their domain provider to client1.test.com
You need modify the cname to redirect your client2 IP on their domain provider to client2.test.com
CNAME setup on cloud flare is for paid plans only
https://support.cloudflare.com/hc/en-us/articles/200168706-How-do-I-do-CNAME-setup-
You might also want to check
https://support.cloudflare.com/hc/en-us/articles/200168826-Does-Cloudflare-support-wildcard-DNS-entries-
You simply need to understand DNS records and how they work. You can find a good resource for this here, the most important of which is 'A record' in your case.
In summary however, before your clients can point their own domain to your system, they will have to configure their domain host records to point to your server/IP address.
For you, you don't have to do anything in Cloudflare but on your server. Say you have configured your webserver to recognize client1.test.com but client1 decides to use a domain client1.com and shop.client1.com, you have to set your webserver block for client1.test.com to also recognize these two domains aliases in addition to the original subdomain.
With Nginx, this will look like:
Server {
...
ServerName client1.test.com shop.client1.com client1.com
...
You could take a look at this script if you are looking for how to automate this process.
Maybe you could use CNAME Record like this:
client1.com CNAME client1.test.com.
shop.client1.com CNAME client1.test.com.
The dot at the end is to tell the DNS not to complete your entry with the default-Domainname.
If you not must use an DNS to redirect, you also be free to use You even could do it by IPTables Forwarding. Good at this solution... you can decide which port will point to which ip... this way you could forward webserver to the Server of your Customer, but leave Mail at your server (for example)
Here how forward a port to another host that has an external IP:
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $port -j LOG --log-prefix="PreRouting $port..:"
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $port -j DNAT --to $ip:$port
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
sudo iptables -A FORWARD -p tcp -i eth0 -o eth0 -s $ip --sport $port -j LOG --log-prefix="S Forward $port.."
sudo iptables -A FORWARD -p tcp -i eth0 -o eth0 -s $ip --sport $port -j ACCEPT
sudo iptables -A FORWARD -p tcp -i eth0 -o eth0 -d $ip --dport $port -j LOG --log-prefix="D Forward $port.."
sudo iptables -A FORWARD -p tcp -i eth0 -o eth0 -d $ip --dport $port -j ACCEPT
You also have to add this command to set on your network stack:
sudo sysctl -w net.ipv4.ip_forward=1
This will work in a default DENY IPTables setup.
I am confused about situation in my NATed network. I start dnsmasq on router, with listen-address=192.168.100.1 and -p 5353 option for DNS port. Afterwards, i add iptables rule for hosts inside that network:
iptables -t nat -I PREROUTING -s 192.168.100.0/24 \
-d 192.168.100.1 -p udp --dport 53 -j REDIRECT --to-ports 5353
But this didn't work first time, since my INPUT policy is DROP: when i add this rule, everything starts to work:
iptables -I INPUT -p udp --dport 53 -d 127.0.0.53 -j ACCEPT
I discovered this address with help of -j LOG on my INPUT chain, where i saw packets dropped like SRC=127.0.0.1 DST=127.0.0.53 ..., when NATed host is trying to resolve hostname.
As i am writing automated script that generates correct netfilter rules for situation, i need to know from where this 127.0.0.53 could come from.
I see the same address in /etc/resolv.conf. But i don't understand who's routing this packet to this address when it is "redirected", if even close to understanding what happens.
systemd-resolved sets up a stub listener for dns requests locally on 127.0.0.53:53
try disabling it to proceed sudo systemctl disable systemd-resolved
I'm stumped.
This is how my iptables are configured on Debian 7.
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8090 -j ACCEPT
-A FORWARD -d 127.0.0.1/32 -i eth0 -p tcp -m state --state NEW -m tcp --dport 8090 -j ACCEPT
-A FORWARD -d 10.1.130.5/32 -i eth0 -p tcp -m state --state NEW -m tcp --dport 8090 -j ACCEPT
Basically forwarding port 80 to port 8090.
I also have an instance of Apache Tomcat running and listening on port 8090. e.g.
sudo lsof -i :8090
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 15081 user1 36u IPv6 164737 0t0 TCP *:8090 (LISTEN)
However, whenever I try to connect via a browser nothing get returned. Its the same using Wget. e.g.
wget www.test.com/confluence
--2016-04-22 16:59:22-- http://www.test.com/confluence
Resolving www.test.com... 10.1.130.5
Connecting to www.test.com|10.1.130.5|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /bootstrap/selectsetupstep.action [following]
--2016-04-22 16:59:22-- http://se- www.test.com/bootstrap/selectsetupstep.action
Reusing existing connection to www.test.com:80.
HTTP request sent, awaiting response...
There is nothing in your ruleset that actually forwards ports. You have INPUT rules, which will accept or reject packets destined for the local host, and you have FORWARD rules, which will accept or reject rules transiting the machine to another address, but you don't have anything that actually changes the target port of a connection.
If you actually want to change some aspect of a connection, this falls into the broad category of "network address translation" (NAT), which is carried out in the nat table, rather than the default filter table.
Possibly you need REDIRECT rule in your nat table:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 \
-j REDIRECT --to-ports 8090
Note that a REDIRECT rule will only operate on traffic that does not originate on the local host. You will need to test this from another host on the network (or from inside a container or a vm).
Alternatively, you could accomplish something similar using proxy software such as haproxy.
Some additional reading:
http://www.cyberciti.biz/faq/linux-port-redirection-with-iptables/
https://serverfault.com/questions/179200/difference-beetween-dnat-and-redirect-in-iptables
https://wiki.debian.org/Firewalls-local-port-redirection
I want to create a VPS both has PPTP server and client, and this VPS is used as a relay.
There are two server: VPS1 and VPS2, both install PPTPD, and VPS1 install pptp client.
I want have this:
user ---- PPTP ----> VPS1 ----- PPTP ----> VPS2
user connect to VPS1, and all the network traffic route to VPS2.
I'm doing this because user is hard to connect VPS2 directly, need an middle server to work as relay.
How can I config iptable to make it work? Thanks.
Strange usage of PPTP. Your ISP must be Shanghai, China Telecom.
If you route all the network traffic in VPS1 to VPS2, you have to know the IP address of user and setup an exception. Or the user will never receive the reply packets.
Maybe you can use iptables to enable DNAT. Make VPS1 as a router and VPS2 as the internal pptp server.
First of all, you should check if the kernel module ip_nat_pptp and ip_conntrack_pptp is loaded. PPTP use TCP port 1723 to transmit control commands and use GRE to transfer data. Because the GRE has no port, the server has to use the CallID to track the endpoints and implement the NAT. This is called PPTP Passthrough.
# lsmod | grep pptp
If not loaded, then load them.
# modprobe ip_nat_pptp
# modprobe ip_conntrack_pptp
Then you need to enable the IPv4 network forwarding:
# sysctl -w net.ipv4.ip_forward=1
Now you can create iptables rules to accept the incoming and forwarding request:
# iptables -A INPUT -d $VPS1_IP_ADDR -p tcp --dport 1723 -j ACCEPT
# iptables -A INPUT -d $VPS1_IP_ADDR -p gre -j ACCEPT
# iptables -A FORWARD -d $VPS2_IP_ADDR -p tcp --dport 1723 -j ACCEPT
# iptables -A FORWARD -d $VPS2_IP_ADDR -p gre -j ACCEPT
Finally setup the DNAT rules:
# iptables -A PREROUTING -d $VPS1_IP_ADDR -p tcp --dport 1723 -j DNAT --to-destination $VPS2_IP_ADDR
# iptables -A POSTROUTING -d $VPS2_IP_ADDR -p tcp --dport 1723 -j MASQUERADE
You can connect VPS1 with username/password of the pptpd on VPS2 now.