IPTABLES - Redirection -

mudasir · Post by **mudasir** » Mon Aug 13, 2007 3:52 am

Hi,

I have a made a firewall which is basically MAC Address based, now all the known MAC Addresses are marked with 1 and are wokring fine.

Now what i want to do is to redirect all the unmarked MAC's or all unknown MAC's to this Addresses "192.168.1.2:81"

I tried it by DNAT like this

IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m mark ! --mark 1 -j DNAT --to-destination 192.168.1.2:81

same with UDP.

But it is not working. Please help me out.

Post by **LinuxFreaK** » Wed Aug 15, 2007 11:09 am

Dear mudasir,

I think you need to use Source NAT instead of Destination NAT.

P.S: Correct me if am wrong.

Best Regards.

kbukhari · Post by **kbukhari** » Wed Aug 15, 2007 12:00 pm

LinuxFreaK wrote: I think you need to use Source NAT instead of Destination NAT.

Wrong!

mudasir wrote:
I tried it by DNAT like this

IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m mark ! --mark 1 -j DNAT --to-destination 192.168.1.2:81

You need to define destination port as well i.e you want to redirect web browsing.
iptables -t nat -A PREROUTING -i eth0 -p tcp -m mark ! --mark 1 --dport 80 -j DNAT --to-destination 192.168.1.2:81

mudasir · Post by **mudasir** » Thu Aug 16, 2007 1:08 am

Dear Kbukhari,
i have tried that rule also, it is also not working.
list of rules i have tried

IPT=/sbin/iptables

Rule #1
$IPT -t nat -A PREROUTING -i eth0 -p tcp -d 0.0.0.0/0 --dport 80 -m mark ! --mark 1 -j DNAT --to-destination 192.168.1.2:81

Rule #2
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m mark ! --mark 1 -j DNAT --to-destination 192.168.1.2:81

Hope you understand the PROBLEM.

Looking Forward for some help

kbukhari · Post by **kbukhari** » Thu Aug 16, 2007 9:29 am

wht is your In interface i mean where your clients are connected.

mudasir · Post by **mudasir** » Thu Aug 16, 2007 6:49 pm

Salam

I have changed my senario a bit, now i want all the unmarked web-traffic to redirect to port 80 on the SAME MACHINE (i.e. 192.168.1.1:80)

eth0=Network interface connected to Local Network
eth1=Network interface connected to DSL Modem

IP_RANGE=192.168.1.1/24
SERVER_IP=192.168.1.1

Rule I am using to MARK Packets

IPTABLES -t mangle -A PREROUTING -i eth0 -m mac --mac-source (LIST_OF_MAC_ADDRESSES) -j MARK --set-mark 1

Rule I am using to redirect all unmarked web-traffic to 192.168.1.1:80

IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -d ! 192.168.1.1/24 --dport 80 -m mark ! --mark 1 -j DNAT --to-destination 192.168.1.1:80

One more thing, when i type this addresses "192.168.1.1:80" without "http://", it does not opens up, and when i open it up with http://192.168.1.1:80 or simple http://192.168.1.1 it opens up fine.

Looking Forward For Some Help.

mudasir · Post by **mudasir** » Fri Aug 17, 2007 2:56 am

Salam to All,

Thanks for all your help, i have done it.
The way i have done it is as follows.

Redirected all Unmarked Packets to SQUID PROXY

IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m mark ! --mark 1 -j REDIRECT --to-port 8080

SQUID Configuration

acl mac-address arp "/files/macs/mac.address"
acl all src 0.0.0.0/0.0.0.0
http_access allow mac-address
http_access deny all
deny_info http://192.168.1.2:81 all

This only redirects WEB-TRAFFIC, not any other sort of traffic....
This Works Fine....Hope it might help others.....

Still want to know, how can i do it purely through IPTABLES.

Looking Forward For Response

linuxpakistan.net

IPTABLES - Redirection -

IPTABLES - Redirection -

Re:

Re: