Results 1 to 4 of 4

Thread: Redirect certain traffic to another port using iptables?

  1. December 30th, 2016 #1
    joshuaa001
    joshuaa001 is offline First Cup of Ubuntu
    Join Date
    Aug 2016
    Beans
    3

    Redirect certain traffic to another port using iptables?

    Hello.

    I am running a web server and i have a list of ips that are currently being DROPPED in iptables. I would like to notify those IPs whenever they try to access my webserver, that they have been blocked.

    After speding the entire day googling around, i've found a solution to be like this:

    - create a virtual host in apache on different port (192.168.100.2:63) and put a warning-your-ip-has-been-blocked html page there
    - redirect traffic using iptables to that port.

    Now, i have found various variations of the iptables command, such as

    iptables -t nat -A PREROUTING -i eth0 -s ip.i.want.to.block -p tcp --dport 80 -j REDIRECT --to 63


     but i'm not sure if this is correctly used. moreover, my firewall ip list also contains ip ranges, how to redirect those as well?

    If someone could write an iptables example, i would be forever grateful

    Thank you and Happy New Year to everybody!
    Advanced reply Adv Reply  
  2. December 30th, 2016 #2
    TheFu's Avatar
    TheFu
    TheFu is offline <--- Run xman to see that window.
    Join Date
    Mar 2010
    Location
    Been there, meh.
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Redirect certain traffic to another port using iptables?

    Don't know off the top of my head how to do it with iptables.

    I use a reverse proxy for this. IP ranges (and other "bad clients") get a 403 error - denied. The reverse proxy, nginx, handles the error. I wouldn't want these "bad guys" having access to the same process running my different websites. I know this works:
    https://www.cyberciti.biz/faq/nginx-...nt-ip-address/

    Honestly, I'd just stay with your current DROP method. Don't waste any more bandwidth than necessary.
    Advanced reply Adv Reply  
  3. December 30th, 2016 #3
    The Cog's Avatar
    The Cog
    The Cog is offline Woof
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,751

    Re: Redirect certain traffic to another port using iptables?

    Use a separate line for each address/range, just as you do now with your DROP commands.
    Code:
    iptables -t nat -A PREROUTING -i eth0 -s 1.1.1.1 -p tcp --dport 80 -j REDIRECT --to 63
iptables -t nat -A PREROUTING -i eth0 -s 2.2.2.2 -p tcp --dport 80 -j REDIRECT --to 63
iptables -t nat -A PREROUTING -i eth0 -s 3.0.0.0/8 -p tcp --dport 80 -j REDIRECT --to 63
    I like the idea of using a really simple single-threaded static web page server for this, something that can't be abused to use up all your CPU or compromised by the bad guys.
    It may be worth looking at rate limiting the number of connections per second to this server (google iptables rate limit).
    Last edited by The Cog; December 30th, 2016 at 04:44 PM.
    Advanced reply Adv Reply  
  4. December 30th, 2016 #4
    TheFu's Avatar
    TheFu
    TheFu is offline <--- Run xman to see that window.
    Join Date
    Mar 2010
    Location
    Been there, meh.
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Redirect certain traffic to another port using iptables?

    With lots and lots of rules, use ipset instead. 10,000x faster.
    http://manpages.ubuntu.com/manpages/...8/ipset.8.html
    https://www.linuxjournal.com/content...urations-ipset
    Last edited by TheFu; December 30th, 2016 at 04:48 PM.
    Advanced reply Adv Reply  
« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Ubuntu Forums Code of Conduct