# URL-redirection with iptables?

## NightDragon

Hello everybody!

Is it possible to redirect a HTTP-Destination to another one with iptables?

The reason why i want to do this, is to redirect blocked MAC and IP-Addresses, to an internal Web-Server, where a Site is hosted with infos about, why the MAC / IP is blocked.

But i don't want to redirect only to an IP... i want to redirect to an full address.

e.g.: iptables -I FORWARD -i eth0 -p tcp --dport 80 -m mac --mac-source 00:09:5B:93:29:F5 -j REDIRECT --to 10.0.1.7/blockedmac.htm

Any ideas how to solve this?

On the internal webserver there are more sites hosted with virtual-server-settings... so i can't only redirect to the IP.

Greets,

Nighty

----------

## nielchiano

as the name implies: IPtables are used to play around with IP packets, even with TCP streams, but that is as high as it goes.

If you need HTTP redirection you'll probabely need some "higher" tool.

(I'm not sure about this, but I haven't seen a module that goes above layer 4, apart from some NAT-modules like nat-ftp)

Can't you just add the redirection in the webserver itself? a bit like this

```

<IfModule mod_rewrite.c>

        RewriteEngine   on

        RewriteCond     %{REMOTE_ADDR} 1.2.3.4    [OR]

        RewriteCond     %{REMOTE_ADDR} 1.2.3.5

        RewriteRule     ^/.*     http://new.url.to/go/to.html      [L]

</IfModule>

```

----------

## NightDragon

Hm. Would be a option, yeah.

Hm... Wasn't there a iptables-Modul which was/is able to handle the HTTP-Refer?

I meant, that if seen something like this anywhere..

But i'm not sure....

The big Problem is that i have to handle the mac-source-address instead of the ip-address... cause i don't want that he could bypass the rule.

So thats the reason why i want to use iptables.

----------

## think4urs11

you could try to reroute the MAC/IP to an alternative webserver which only serves your special site 'thats why you have been blocked'

shttpd can be configured in a way to always give out the same page, no matter which URL is accessed

see https://forums.gentoo.org/viewtopic-p-3023795.html#3023795

----------

## nielchiano

 *NightDragon wrote:*   

> The big Problem is that i have to handle the mac-source-address instead of the ip-address... cause i don't want that he could bypass the rule.
> 
> So thats the reason why i want to use iptables.

 

Hahahaaaaa....   :Very Happy:   :Very Happy:   :Laughing:   :Laughing: 

sorry   :Embarassed: 

you know how easy it is to change your mac?

----------

## NightDragon

Yeah i know *g* (because i do it myself on my router).

But than the guy got's another problem: only some specified MAC's have access to the WLAN *g*.

So if he chances his IP, he can't connect to the AP anymore.

And... it's not so easy to chance an mac, than an IP. (yeah under linux it is the same, but not under windows)

Nothing is secure...

----------

