Background Info: I have rooted an android phone and installed droidwall to get access to iptables. The kernel version is 2.6.35.7-perf.
Objective: Test the efficiency of a proxy (on port 8080) from a comparison of the traffic flow with and without the proxy.
I am able to get a test without going through the proxy with the rules from here
Method: I have creating a test website on a single IP address. I am using an application that monitors how many packets/bytes have been transmitted and recieved by the phone.
Problem: Due to unknown background traffic, unwanted packets are being sent and recieved.
Solution: Use iptables to only allow a connection to one website so I can properly monitor the traffic.
How would I go about this?
Try the following:
iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4 -j REDIRECT --to-port 8080
iptables -A INPUT -p tcp -s 1.2.3.4 --dport 8080 -j ACCEPT
The first rule should redirect al traffic from 1.2.3.4 to the port 8080, while the second states to accept such packet.
Now you should set on DROP the default policy for INPUT so that every other packet is discarded:
iptables -P INPUT DROP
Be careful. This is a very restrictive rule.
Related
After searching the forums with no matching results, I asking hear.
I want to redirect every browser request in destination port 80 to another port (for example 8080). all in the localhost.
My workplace is linux, and I want to use the iptables rules and python code server.
The rule I used is:
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080.
I also tried some other flags like specific ip source and server etc.
The server listening on port 8080 is:
#!/usr/bin/env python
import SimpleHTTPServer
import SocketServer
def redirect_factory():
class RedirectServer(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_GET(self):
self.send_response(301)
self.send_header('Location', 'www.IdontCare.IdontKnow')
self.end_headers()
return RedirectServer
redirectServer = redirect_factory()
handler = SocketServer.TCPServer(('', 8080), redirectServer)
print("serving at port %s" % 8080)
handler.serve_forever()
The problem is that it works well when I configure my browser in the connection settings (without adding the iptables rules) like this:
But when I use the iptables rules it says that it have a broken pipe, and the browser request didn't received at all in the server. So if I write in the URL in the browser www.google.com I can't see it with the self.path value.
EDIT:
Here is the iptables -t nat -nvL --line-numbers output:
the rule is working, but it not done what I suppose.
I play a little with the rules, and if I put one of the next rules I can see in the CNAME in the self.headers value.
the rules is (I can just choose one of them):
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 80
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1
If I not mistake, both of them done the same thing.
what am I do wrong ?
and how to make it work with iptables rules like the configuration of the browser?
Thanks!
I am confused about situation in my NATed network. I start dnsmasq on router, with listen-address=192.168.100.1 and -p 5353 option for DNS port. Afterwards, i add iptables rule for hosts inside that network:
iptables -t nat -I PREROUTING -s 192.168.100.0/24 \
-d 192.168.100.1 -p udp --dport 53 -j REDIRECT --to-ports 5353
But this didn't work first time, since my INPUT policy is DROP: when i add this rule, everything starts to work:
iptables -I INPUT -p udp --dport 53 -d 127.0.0.53 -j ACCEPT
I discovered this address with help of -j LOG on my INPUT chain, where i saw packets dropped like SRC=127.0.0.1 DST=127.0.0.53 ..., when NATed host is trying to resolve hostname.
As i am writing automated script that generates correct netfilter rules for situation, i need to know from where this 127.0.0.53 could come from.
I see the same address in /etc/resolv.conf. But i don't understand who's routing this packet to this address when it is "redirected", if even close to understanding what happens.
systemd-resolved sets up a stub listener for dns requests locally on 127.0.0.53:53
try disabling it to proceed sudo systemctl disable systemd-resolved
On a Linux-based system I need data incoming on a TCP port to be automatically redirected to other 50 local ports without going through user-space's send/recv. Each port needs to receive a copy of all incoming traffic. All ports are local to the same machine.
I've discarded the splice syscall due to the limit of one endpoint being a file. I guess that iptables is the right tool for this purpose, but I can't figure out the right syntax for this purpose. It should be something similar to:
iptables -t nat -A PREROUTING -p tcp --dport <in_port> -j REDIRECT --to-ports <out_port1>-<out_port50>
I wonder e.g. if the option -m multiport is needed.
would be technically possible block a website with a specific iptables rule and in the same time returning to the user browser an error page?
iptables -t nat -A PREROUTING -s 192.168.1.19 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.20:80
thanks
If you totally block port 80 traffic from an IP address with iptables, your web server will never get any request from that client and thus be unable to serve an error page. So in short, no.
To achieve what you are asking, one solution would be to port forward to another port or host that serves only error pages. The iptables rules for doing that will be specific to your situation. But in doing so, the packets will still be traversing your network.
You may be better off asking this question over at ServerFault...
Im writing a bash scripting to account traffic in my network server:
WAN:eth1 -> GNU/Linux Server:eth0 -> Users
The GNU/Linux server uses squid, bind, QoS, mysql, lighttpd.
After an IP exceed the established quota a new QoS rule is applied for that IP (user) too exist one "flag" to decide when is restored the IP counter to Zero.
Some IPs and subnets work without quotas, other gruop of ips/subnets work with new QoS after quota is exceeded, and now I wanna work with a third group with redirection after quota is exceeded.
When an IP exceed the established quota all http traffic must be redirected to host (lighttpd runing on GNU/Linux ) and DROP all other traffic generated for that IP. In webserver exist a webpage with: "You exceed your daily quote of traffic, please wait "x" hours or call to your provider to purchase an extra navigation package" or something like that.
Is possible using a chain, or how can I do that?.
The most topics that I found in Internet, are related to block all and create a new chain to let out to Internet (not work for me). And other redirect only IP by IP, but how can I create something that a "chain" and attach the IPs to must me redirected to can after restore that IPs easly?
Thanks for help and sorry for my poor English :S.
Are you looking for something like this?
iptables -t nat -A PREROUTING -s 192.168.100.66 -p tcp --dport 80 -j REDIRECT --to-ports 80
iptables -I INPUT 1 -i lo -s 192.168.100.66 -j ACCEPT
iptables -I INPUT 2 -i eth1 -d 192.168.100.66 -j DROP
This will redirect packets from 192.168.100.66 on port 80 to the local webserver on the loopback interface, allow that conversation, then reject all other packets being routed to 192.168.100.66 on the WAN interface.
To restore the connection back to normal you will want to delete those firewall entries:
iptables -t nat -D PREROUTING -s 192.168.100.66 -p tcp --dport 80 -j REDIRECT --to-ports 80
iptables -D INPUT -i lo -s 192.168.100.66 -j ACCEPT
iptables -D INPUT -i eth1 -d 192.168.100.66 -j DROP
Note that iptables itself (well, the xtables-addons extension set providing quota2) can already do the quota matching magic and you can (re)set the values through procfs, combined with REDIRECT as #resmon6 says:
-t nat -s user1addr -m quota2 --name user1 ! --quota 0 -j REDIRECT...
-t nat -s user2addr -m quota2 --name user2 ! --quota 0 -j REDIRECT...
The syntax is a arguably a little odd right now (0 is the initial value only and is independent from the runtime quota test involving the negational !. Noticing this just now, a patch may make it in to unroll this confusing syntax in the future).