PREROUTING path-in-web-address problem, + delay

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have turned an old computer into a router using IPCOP.  I am also
trying to do some specialized functionality with the PC using iptables
commands.  I am trying to use iptables commands to initially block all
inside connections (eth0) to the internet (eth1), and redirect them to
an internal web page at which says BLOCKED!! and gives
other instructions.  Here are the commands I am using:

Drops all connections
iptables -A CUSTOMFORWARD -i eth0 -s 0/0 -o eth1 -j DROP
Redirects all to web page
iptables -A PREROUTING -t nat -p tcp -d 0/0 --dport 80 -j DNAT --to-

At various times, a script will selectively allow certain inside-
network ip addresses, such as to connect to the internet,
issuing the following commands:

Turns off redirct to our web page
iptables -I PREROUTING 1 -t nat -p tcp -s --dport 80 -j
Allows connection to web
iptables -I CUSTOMFORWARD 1 -i eth0 -s -o eth1 -j ACCEPT

If later, we want to again prohibit a particular address from
accessing the internet, the following are issued:

Block the connection
iptables -D CUSTOMFORWARD -i eth0 -o eth1 -s -j ACCEPT
Redirect back to web page
iptables -D PREROUTING -t nat -p tcp -s --dport 80 -j

These commands work correctly if the customer is accessing a web site
such as:  It forces the address in the browser window to

However, problems occur if there is a path in the web address, such as  It does not modify the web address and hence, our
internal web page is not found.  The /TRAVEL/ remains, /cgi-bin/
index.cgi is not appended, and the web browser says Not Found.

Is there a fix to the above iptables commands to get around this
problem, or are there different iptables commands altogether that can
accomplish the same result?

Another related problem with the above iptables commands above is
there seems to be an approximate fifteen second delay from when the
PREROUTING commands are issued and when they take effect.  Is there a
way to refresh the PREROUTING table to speed up this transition?

Re: PREROUTING path-in-web-address problem, + delay

Quoted text here. Click to load it

You don't understand what is going on there!

Iptables is working exactly as it should it is getting your packets to your
website nomatter where the user wanted to go.

Iptables does not alter the URL in any way.  What you now have to do is sort
out your webserver to return your 'Blocked' page whatever the calling URL
is. Apache can do this via config file, or just about anything can if you
make a custom 404 page to redirect teh caller to the 'Blocked' page.


Re: PREROUTING path-in-web-address problem, + delay

Quoted text here. Click to load it

This strikes me as as not the right way to solve the problem - your
access control seems to be implementing across multiple network layers
for authentication / authorization / enforcement. Also you are
granting access by host rather than by user.

I'd be running squid on the box with a custom url rewriter and
transparent redirection.


Site Timeline