Home / server / Questions / 503815
In Process
etuardu
Asked: 2013-05-01 02:19:30 +0800 CST

Redirect traffic on port 80 into apache for unknown macs, and into squid for some macs

  • 772

I have a linux box behaving like a router that handles two network interfaces: eth0 for internet and eth1 for LAN.

I set up iptables in order to redirect all the web traffic coming by the LAN into a local apache, listening on port 80 as well, using these rules:

sudo iptables -t mangle -N internet
sudo iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j internet
sudo iptables -t mangle -A internet -j MARK --set-mark 99
sudo iptables -t nat -A PREROUTING -i eth1 -p tcp -m mark --mark 99 -m tcp --dport 80 -j DNAT --to-destination $BOX_IP

Now I need to add an exception to this behaviour for some known mac addresses, in order to redirect their web traffic not to the apache but to a squid proxy, that's listening on port 3128.

I managed to just remove the redirection and let the web request go to the requested host appending this other rule:

sudo iptables -t mangle -I internet 1 -m mac --mac-source $MAC_ADDRESS -j RETURN

but what I want is that the web traffic is natted into $BOX_IP:3128. What's the best way to do that?

iptables

1 Answers

  1. Why do you repeat all those filter criteria in the --mark 99 line? you mark a packet, that's it. If more criteria appear then you should change the marking but not check for more than the mark. BTW the chain name internet seems rather suboptimal to me.

    #!/bin/bash

if iptables -L apache -n &>/dev/null; then
  iptables -t mangle -F apache
else
  iptables -t mangle -N apache
fi
iptables -t mangle -A apache -j MARK --set-mark 99
# finish the handling of this packet in this table
iptables -t mangle -A apache -j ACCEPT

if iptables -L squid -n &>/dev/null; then
  iptables -t mangle -F squid
else
  iptables -t mangle -N squid
fi
iptables -t mangle -A squid -j MARK --set-mark 98
# finish the handling of this packet in this table
iptables -t mangle -A squid -j ACCEPT

if iptables -L proxy_mac_check -n &>/dev/null; then
  iptables -t mangle -F proxy_mac_check
else
  iptables -t mangle -N proxy_mac_check
fi
for MAC_ADDRES in 11:22:33:44:55:66 11:22:33:44:55:67; do
  iptables -t mangle -A proxy_mac_check -m mac --mac-source $MAC_ADDRES -j squid
done
iptables -t mangle -A proxy_mac_check -j apache

iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j proxy_mac_check

iptables -t nat -A PREROUTING -m mark --mark 99 -j DNAT --to-destination $BOX_IP
iptables -t nat -A PREROUTING -m mark --mark 98 -j DNAT --to-destination $BOX_IP:3128
    • 0