Hi,
I have a made a firewall which is basically MAC Address based, now all the known MAC Addresses are marked with 1 and are wokring fine.
Now what i want to do is to redirect all the unmarked MAC's or all unknown MAC's to this Addresses "192.168.1.2:81"
I tried it by DNAT like this
IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m mark ! --mark 1 -j DNAT --to-destination 192.168.1.2:81
same with UDP.
But it is not working. Please help me out.
IPTABLES - Redirection -
IPTABLES - Redirection -
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
-
- Site Admin
- Posts: 5132
- Joined: Fri May 02, 2003 10:24 am
- Location: Karachi
- Contact:
Re:
Dear mudasir,
I think you need to use Source NAT instead of Destination NAT.
P.S: Correct me if am wrong.
Best Regards.
I think you need to use Source NAT instead of Destination NAT.
P.S: Correct me if am wrong.
Best Regards.
Farrukh Ahmed
Re:
Wrong!LinuxFreaK wrote: I think you need to use Source NAT instead of Destination NAT.
You need to define destination port as well i.e you want to redirect web browsing.mudasir wrote:
I tried it by DNAT like this
IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m mark ! --mark 1 -j DNAT --to-destination 192.168.1.2:81
iptables -t nat -A PREROUTING -i eth0 -p tcp -m mark ! --mark 1 --dport 80 -j DNAT --to-destination 192.168.1.2:81
Dear Kbukhari,
i have tried that rule also, it is also not working.
list of rules i have tried
Looking Forward for some help
i have tried that rule also, it is also not working.
list of rules i have tried
Hope you understand the PROBLEM.IPT=/sbin/iptables
Rule #1
$IPT -t nat -A PREROUTING -i eth0 -p tcp -d 0.0.0.0/0 --dport 80 -m mark ! --mark 1 -j DNAT --to-destination 192.168.1.2:81
Rule #2
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m mark ! --mark 1 -j DNAT --to-destination 192.168.1.2:81
Looking Forward for some help
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
Salam
I have changed my senario a bit, now i want all the unmarked web-traffic to redirect to port 80 on the SAME MACHINE (i.e. 192.168.1.1:80)
eth0=Network interface connected to Local Network
eth1=Network interface connected to DSL Modem
IP_RANGE=192.168.1.1/24
SERVER_IP=192.168.1.1
Rule I am using to MARK Packets
IPTABLES -t mangle -A PREROUTING -i eth0 -m mac --mac-source (LIST_OF_MAC_ADDRESSES) -j MARK --set-mark 1
Rule I am using to redirect all unmarked web-traffic to 192.168.1.1:80
IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -d ! 192.168.1.1/24 --dport 80 -m mark ! --mark 1 -j DNAT --to-destination 192.168.1.1:80
One more thing, when i type this addresses "192.168.1.1:80" without "http://", it does not opens up, and when i open it up with http://192.168.1.1:80 or simple http://192.168.1.1 it opens up fine.
Looking Forward For Some Help.
I have changed my senario a bit, now i want all the unmarked web-traffic to redirect to port 80 on the SAME MACHINE (i.e. 192.168.1.1:80)
eth0=Network interface connected to Local Network
eth1=Network interface connected to DSL Modem
IP_RANGE=192.168.1.1/24
SERVER_IP=192.168.1.1
Rule I am using to MARK Packets
IPTABLES -t mangle -A PREROUTING -i eth0 -m mac --mac-source (LIST_OF_MAC_ADDRESSES) -j MARK --set-mark 1
Rule I am using to redirect all unmarked web-traffic to 192.168.1.1:80
IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -d ! 192.168.1.1/24 --dport 80 -m mark ! --mark 1 -j DNAT --to-destination 192.168.1.1:80
One more thing, when i type this addresses "192.168.1.1:80" without "http://", it does not opens up, and when i open it up with http://192.168.1.1:80 or simple http://192.168.1.1 it opens up fine.
Looking Forward For Some Help.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
Salam to All,
Thanks for all your help, i have done it.
The way i have done it is as follows.
Redirected all Unmarked Packets to SQUID PROXY
IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m mark ! --mark 1 -j REDIRECT --to-port 8080
SQUID Configuration
acl mac-address arp "/files/macs/mac.address"
acl all src 0.0.0.0/0.0.0.0
http_access allow mac-address
http_access deny all
deny_info http://192.168.1.2:81 all
This only redirects WEB-TRAFFIC, not any other sort of traffic....
This Works Fine....Hope it might help others.....
Still want to know, how can i do it purely through IPTABLES.
Looking Forward For Response
Thanks for all your help, i have done it.
The way i have done it is as follows.
Redirected all Unmarked Packets to SQUID PROXY
IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m mark ! --mark 1 -j REDIRECT --to-port 8080
SQUID Configuration
acl mac-address arp "/files/macs/mac.address"
acl all src 0.0.0.0/0.0.0.0
http_access allow mac-address
http_access deny all
deny_info http://192.168.1.2:81 all
This only redirects WEB-TRAFFIC, not any other sort of traffic....
This Works Fine....Hope it might help others.....
Still want to know, how can i do it purely through IPTABLES.
Looking Forward For Response
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com