Hello Is it possible to add exceptions to a web redirection rule such as iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0.0.0.0/24 -p tcp --dport 80 -j DNAT --to 10.10.10.1 the idea is to redirect all traffic to a web login page, and once authenticated (by an external program). add an exception rule to avoid the web redirection what would be the way to set up the default redirect rule on shorewall ? and the iptables command to be called by the external authentication program Thanks for the info, Jaime
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jaime Garcia wrote: | Hello | | Is it possible to add exceptions to a web redirection rule such as | iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0.0.0.0/24 -p tcp | --dport 80 -j DNAT --to 10.10.10.1 Of course. | | the idea is to redirect all traffic to a web login page, and once | authenticated (by an external program). add an exception rule to avoid the | web redirection | | | what would be the way to set up the default redirect rule on shorewall ? Let z1 be the zone where the clients are. Let z2 be the zone where the login server is. Let A be the IP address of the login server. Then in your rules file: DNAT z1 z2:A tcp 80 | and the iptables command to be called by the external authentication | program | iptables -t nat -I z1_dnat -s <client ip> -j RETURN - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBP6DsO/MAbZfjDLIRApZiAJ4mgAIltg9W/RayCzXnqcYo0MbAigCeMhBG pS9VXcs7yyqQlnzb+2jsg1U=KFKR -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 08 September 2004 22:05, Jaime Garcia wrote: | Thanks for the quick response! | | one last question once the user disconnects | | how can I undo the command | iptables -t nat -I z1_dnat -s <client ip> -j RETURN | | is there an iptables command that can do it ? | or I have to make the chain z1_dnat again when the client disconnects ? Same command replacing "-I" with "-D". - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBQHUvO/MAbZfjDLIRAncnAJ9OuERmS+7NZR1+EbZwWkphniaPqQCfWaky /c8NBqXf7rMFp6UAGqeQE18=DcLM -----END PGP SIGNATURE-----