Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a linux server and a script is verifying the database every day and adds an redirect rule in iptables for every client. The problem is that if a client is already redirected, it still adds the rule, because iptables is allowing that, and when i want to take out the redirect, i have to give the comand for every time it was added.
How i see it, there's some ways in bypassing this:
1. add another boolean field to the db, and verify if the client already has redirect. ( i want to avoid this )
2. before the script is trying to add the rule, delete it first, so it can be added again and again and in any case there will be only one redirect rule/client.
The command executed by the php script, that runs every day is
echo exec("/usr/bin/sudo /sbin/iptables -t nat -A PREROUTING -s $ip -p tcp --dport 80 -j DNAT --to-destination 192.168.0.1:81");
for every client. It redirects every client, every day to a page on my server, that also executes the command for deleting this rule after they've seen it. My goal is to display a message page to every client, once per day/week/month/when i want, and then they can click the button "Continue to requested page".
I'm with numnull on this -- what I do is, once the iptables script is ready to apply, I run it through `uniq` to get rid of duplicates. Later, if I am appending a rule let's say (I'll give this advice with your scenario in context) I would dump iptables-save to a file, and either grep/awk the file to see if the new rule already exists, OR you could add the new rule to the iptables-save script, run it through `uniq` and re-institute the whole script with iptables-restore.
PS - I should have added that, to make sure the script gets back into its proper order, I use cat -n to number the lines first, then uniq it ignoring the first field (the line number), then re-sort it back to its numerical line number, then use cut to remove the line numbers, and THEN it's ready to use again
Looks like you want to make some kind dynamic filter of incoming connections.
Have you tried to find any other ways except of "iptables". May be some proxy can do it much better.
Iptables can do it, but may be there are many other better and appropriate for this purpose solutions?
Looks like you want to make some kind dynamic filter of incoming connections.
Have you tried to find any other ways except of "iptables". May be some proxy can do it much better.
Iptables can do it, but may be there are many other better and appropriate for this purpose solutions?
I am not trying to make a filter. All i want is to redirect my clients, once a day(or week,or month, etc) to a page that displays a message.
It just redirects all the client's http traffic to my apache virtual server on port 81. ie - if client wants to access www.google.com they will be redirected to my page, wich ,on enter, executes the command for deleting the iptables redirect rule . There is a button "Continue to requested page" wich takes him to www.google.com. That's my idea. It's a "Message of the day" sistem, if you want.
If it is something like motd, that means all the users will be redirected to the same webpage i suppose. In that case, why do you want to use the individual IP of each visitor? I mean, why can't you just use a blanket redirect such as the same rule without using "-s $ip" part? Would that serve your purpose?
Secondly, to add that rule only if it doesn't exist, you can probably call a custom chain as the last rule in your PREROUTING chain, flush the custom chain, and add the rule(s) you want every time.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.