[plug] Prevent Gateway from redirecting

Timothy White weirdit at gmail.com
Fri Dec 29 15:25:12 WST 2006 

The problem with that, is I want the redirect for most things, just
not anything to port 80 or 445 for example. I do need the redirects,
for things like VoIP etc etc.

I'm starting to think the easiest way is iptables on each client
machine that needs the redirect. It 'is' a special case so that might
be easiest.

Tim

On 12/29/06, Adrian Chadd <adrian at creative.net.au> wrote:
> Just disable ICMP redirects:
> adrian at skywalker:~$ find /proc/sys | grep send_redir
> /proc/sys/net/ipv4/conf/eth0/send_redirects
> /proc/sys/net/ipv4/conf/lo/send_redirects
> /proc/sys/net/ipv4/conf/default/send_redirects
> /proc/sys/net/ipv4/conf/all/send_redirects
>
> Set em to 0.
>
>
>
> Adrian
>
>
> On Fri, Dec 29, 2006, Timothy White wrote:
> > I'm running a Linux gateway with squid, and some other fun stuff on
> > it. I noticed today when I was trying to add a special iptables
> > redirect rule, that packets didn't seem to be going through the
> > gateway. After investigation, I discovered that some addresses are
> > sent via the gateway, others directly to the modem (seeing as the
> > modem is on the same subnet).
> > The reason being is a ICMP Redirect being sent, because obviously it's
> > shorter for packets to go directly out the ADSL modem, than the
> > gateway! Problem is, I want to be able to force most traffic through
> > the linux box!
> >
> > Pinging a host soon shows the following
> > Redirect Host(New nexthop: router.white.lan (192.168.0.10))
> >
> > The linux box is 192.168.0.1 and the gateway is obviously
> > 192.168.0.10. The reason for them being on the same subnet, is so I
> > can easily login to the modem without having to change the subnet of
> > my computers to match it.
> > I wish for all web traffic (port 80) to go through the gateway,
> > because I have a transparent proxy on it. It all works, until the
> > gateway realises that for a particular host it's quicker to send
> > things via 192.168.0.10
> > I get a feeling that the iptables rule for transproxy means that
> > normal web traffic never gets told to go via 192.168.0.10
> > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> > --to-port 8080
> >
> > But today I was trying to get a certain port on the server (446) to be
> > redirected to 443 on the server, which is running stunnel.
> > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 446 -j REDIRECT
> > --to-port 443
> > I have a single application here that is non SSL enabled, and it
> > appeared this was the easiest way to make it work. It only ever has to
> > connect to one host, but I need to be able to connect to that host
> > normally as well. I /can/ put a hosts entry in that will send all
> > traffic to the gateway for that single host, but then my other
> > applications (namely those that are SSL aware) can't access that host,
> > as it now tries to access it via STUNNEL and starts getting stuffed
> > up. After adding appropriate iptables rules that should have worked,
> > and it still not working, even with LOG rules, I discovered that for
> > that host, it was skipping the gateway. I don't really want to have
> > iptables rules on my client computers, and don't want to move the
> > modem to another subnet.
> > Surely there is a way to prevent Linux from sending ICMP Redirects for
> > certain hosts? And also a way to clear those redirects from my local
> > routing table?
> >
> > Thanks
> >
> > Tim
> > --
> > Linux Counter user #273956
> > Don't email joeblogs at scouts.org.au
> > _______________________________________________
> > PLUG discussion list: plug at plug.org.au
> > http://www.plug.org.au/mailman/listinfo/plug
> > Committee e-mail: committee at plug.linux.org.au
>
> --
> - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
> - $25/pm entry-level bandwidth-capped VPSes available in WA -
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
>


-- 
Linux Counter user #273956
Don't email joeblogs at scouts.org.au

More information about the plug mailing list