would be technically possible block a website with a specific iptables rule and in the same time returning to the user browser an error page?
iptables -t nat -A PREROUTING -s 192.168.1.19 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.20:80
thanks
If you totally block port 80 traffic from an IP address with iptables, your web server will never get any request from that client and thus be unable to serve an error page. So in short, no.
To achieve what you are asking, one solution would be to port forward to another port or host that serves only error pages. The iptables rules for doing that will be specific to your situation. But in doing so, the packets will still be traversing your network.
You may be better off asking this question over at ServerFault...
Related
Currently I have a Linux VM on Azure. I want to remove the default route (which is pointing to outside internet). However, if I do so I lose connectivity to the VM itself. How do I do this? I've looked into adding a load balancer to use inbound source NAT but it doesn't seem to work for me.
Thank you
So after looking heavily into Load Balancers and such, it seems I can't do this with any Azure Resources. Here's my solution: I create a lightweight VM to act as a router, attach it with a public IP, have it on the same private network as my Main VM. The lightweight VM is Linux with iptables routing rules to forward RDP packets to my main VM (copy from another stackoverflow thread):
iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination <WINDOWS SERVER IP>
iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
So users would connect to the IP of the routingVM which would then forward to MainVM. Now you can delete the default routes in the mainVM without getting disconnected.
I am confused about situation in my NATed network. I start dnsmasq on router, with listen-address=192.168.100.1 and -p 5353 option for DNS port. Afterwards, i add iptables rule for hosts inside that network:
iptables -t nat -I PREROUTING -s 192.168.100.0/24 \
-d 192.168.100.1 -p udp --dport 53 -j REDIRECT --to-ports 5353
But this didn't work first time, since my INPUT policy is DROP: when i add this rule, everything starts to work:
iptables -I INPUT -p udp --dport 53 -d 127.0.0.53 -j ACCEPT
I discovered this address with help of -j LOG on my INPUT chain, where i saw packets dropped like SRC=127.0.0.1 DST=127.0.0.53 ..., when NATed host is trying to resolve hostname.
As i am writing automated script that generates correct netfilter rules for situation, i need to know from where this 127.0.0.53 could come from.
I see the same address in /etc/resolv.conf. But i don't understand who's routing this packet to this address when it is "redirected", if even close to understanding what happens.
systemd-resolved sets up a stub listener for dns requests locally on 127.0.0.53:53
try disabling it to proceed sudo systemctl disable systemd-resolved
On a Linux-based system I need data incoming on a TCP port to be automatically redirected to other 50 local ports without going through user-space's send/recv. Each port needs to receive a copy of all incoming traffic. All ports are local to the same machine.
I've discarded the splice syscall due to the limit of one endpoint being a file. I guess that iptables is the right tool for this purpose, but I can't figure out the right syntax for this purpose. It should be something similar to:
iptables -t nat -A PREROUTING -p tcp --dport <in_port> -j REDIRECT --to-ports <out_port1>-<out_port50>
I wonder e.g. if the option -m multiport is needed.
Background Info: I have rooted an android phone and installed droidwall to get access to iptables. The kernel version is 2.6.35.7-perf.
Objective: Test the efficiency of a proxy (on port 8080) from a comparison of the traffic flow with and without the proxy.
I am able to get a test without going through the proxy with the rules from here
Method: I have creating a test website on a single IP address. I am using an application that monitors how many packets/bytes have been transmitted and recieved by the phone.
Problem: Due to unknown background traffic, unwanted packets are being sent and recieved.
Solution: Use iptables to only allow a connection to one website so I can properly monitor the traffic.
How would I go about this?
Try the following:
iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4 -j REDIRECT --to-port 8080
iptables -A INPUT -p tcp -s 1.2.3.4 --dport 8080 -j ACCEPT
The first rule should redirect al traffic from 1.2.3.4 to the port 8080, while the second states to accept such packet.
Now you should set on DROP the default policy for INPUT so that every other packet is discarded:
iptables -P INPUT DROP
Be careful. This is a very restrictive rule.
Im writing a bash scripting to account traffic in my network server:
WAN:eth1 -> GNU/Linux Server:eth0 -> Users
The GNU/Linux server uses squid, bind, QoS, mysql, lighttpd.
After an IP exceed the established quota a new QoS rule is applied for that IP (user) too exist one "flag" to decide when is restored the IP counter to Zero.
Some IPs and subnets work without quotas, other gruop of ips/subnets work with new QoS after quota is exceeded, and now I wanna work with a third group with redirection after quota is exceeded.
When an IP exceed the established quota all http traffic must be redirected to host (lighttpd runing on GNU/Linux ) and DROP all other traffic generated for that IP. In webserver exist a webpage with: "You exceed your daily quote of traffic, please wait "x" hours or call to your provider to purchase an extra navigation package" or something like that.
Is possible using a chain, or how can I do that?.
The most topics that I found in Internet, are related to block all and create a new chain to let out to Internet (not work for me). And other redirect only IP by IP, but how can I create something that a "chain" and attach the IPs to must me redirected to can after restore that IPs easly?
Thanks for help and sorry for my poor English :S.
Are you looking for something like this?
iptables -t nat -A PREROUTING -s 192.168.100.66 -p tcp --dport 80 -j REDIRECT --to-ports 80
iptables -I INPUT 1 -i lo -s 192.168.100.66 -j ACCEPT
iptables -I INPUT 2 -i eth1 -d 192.168.100.66 -j DROP
This will redirect packets from 192.168.100.66 on port 80 to the local webserver on the loopback interface, allow that conversation, then reject all other packets being routed to 192.168.100.66 on the WAN interface.
To restore the connection back to normal you will want to delete those firewall entries:
iptables -t nat -D PREROUTING -s 192.168.100.66 -p tcp --dport 80 -j REDIRECT --to-ports 80
iptables -D INPUT -i lo -s 192.168.100.66 -j ACCEPT
iptables -D INPUT -i eth1 -d 192.168.100.66 -j DROP
Note that iptables itself (well, the xtables-addons extension set providing quota2) can already do the quota matching magic and you can (re)set the values through procfs, combined with REDIRECT as #resmon6 says:
-t nat -s user1addr -m quota2 --name user1 ! --quota 0 -j REDIRECT...
-t nat -s user2addr -m quota2 --name user2 ! --quota 0 -j REDIRECT...
The syntax is a arguably a little odd right now (0 is the initial value only and is independent from the runtime quota test involving the negational !. Noticing this just now, a patch may make it in to unroll this confusing syntax in the future).