Comments on: iptables evilness http://inodes.org/blog/2006/11/13/iptables-evilness/ Moo - Development, Trouble-shooting and Random thoughts... Thu, 20 Nov 2008 21:11:36 +0000 http://wordpress.org/?v=2.6 By: Artem http://inodes.org/blog/2006/11/13/iptables-evilness/#comment-1913 Artem Mon, 29 Oct 2007 01:10:56 +0000 http://inodes.org/blog/2006/11/13/iptables-evilness/#comment-1913 John, You sound like somebody who understands about iptables, so I thought you could advice on the following. I am running iptables firewall for my home network and I know how to do all the normal things: forwarding external http requests to my internal webserver, etc. Yet I can't manage to do the following non-standard trick, which I planned as a joke. Here is what I need to happen: when my friend tries to use my internal host to reach his favorite website, I forward the IP to my own internal webserver and serve him my fake version of the page. Sounds like an easy thing for iptables - use PREROUTING chain to forward the IP of the targeted website to the IP of my dedicated webserver on the inside. So far this did not work for me: internal hosts do loose connection with the target website, but my internal webserver is not getting any requests and browser request times out. Here is what I have added to my rc.firewall script: $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp -d 18.4.15.73 --dport 80 -j DNAT --to-destination 192.168.8.3:80 $IPTABLES -A FORWARD -i eth1 -p tcp -d 192.168.8.3 --dport 80 -j ACCEPT where eth1 connects to my internal LAN 192.168.8.0/24 and 18.4.15.73 is the web address that I need forwarded to my fake server. What am I missing? Thanks. John,
You sound like somebody who understands about iptables,
so I thought you could advice on the following.
I am running iptables firewall for my home network and I know how to do all the normal things: forwarding external http requests to my internal webserver, etc. Yet I can’t manage to do the following non-standard trick, which I planned as a joke. Here is what I need to happen: when my friend tries to use my internal host to reach his favorite website, I forward the IP to my own internal webserver and serve him my fake version of the page. Sounds like an easy thing for iptables - use PREROUTING chain to forward the IP of the targeted website to the IP of my dedicated webserver on the inside. So far this did not work for me: internal hosts do loose connection with the target website, but my internal webserver is not getting any requests and browser request times out. Here is what I have added to my rc.firewall script:

$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp -d 18.4.15.73 –dport 80 -j DNAT –to-destination 192.168.8.3:80
$IPTABLES -A FORWARD -i eth1 -p tcp -d 192.168.8.3 –dport 80 -j ACCEPT

where eth1 connects to my internal LAN 192.168.8.0/24 and 18.4.15.73 is the web address that I need forwarded to my fake server. What am I missing?
Thanks.

]]> By: Dan http://inodes.org/blog/2006/11/13/iptables-evilness/#comment-51 Dan Fri, 24 Nov 2006 02:15:29 +0000 http://inodes.org/blog/2006/11/13/iptables-evilness/#comment-51 You are an evil, evil, man. You are an evil, evil, man.

]]>