Hi all,

I have a linux server and a script is verifying the database every day and adds an redirect rule in iptables for every client. The problem is that if a client is already redirected, it still adds the rule, because iptables is allowing that, and when i want to take out the redirect, i have to give the comand for every time it was added.

How i see it, there's some ways in bypassing this:
1. add another boolean field to the db, and verify if the client already has redirect. ( i want to avoid this )
2. before the script is trying to add the rule, delete it first, so it can be added again and again and in any case there will be only one redirect rule/client.

Is there any other way in doing this?

P.S. Sorry if i have a bad english

Hi,

What do you mean by a redirect?
Pls explain with the help of an example rule as to what you are trying to do so that someone here can help.

Cheers,
tuxg

Gladly.

The command executed by the php script, that runs every day is
echo exec("/usr/bin/sudo /sbin/iptables -t nat -A PREROUTING -s $ip -p tcp --dport 80 -j DNAT --to-destination 192.168.0.1:81");
for every client. It redirects every client, every day to a page on my server, that also executes the command for deleting this rule after they've seen it. My goal is to display a message page to every client, once per day/week/month/when i want, and then they can click the button "Continue to requested page".

The only way I see, is to keep somewhere copy of "iptable-save" and check for duplicated rules.
Or to check the script it self.

Any ideas, anyone...

I'm with numnull on this -- what I do is, once the iptables script is ready to apply, I run it through `uniq` to get rid of duplicates. Later, if I am appending a rule let's say (I'll give this advice with your scenario in context) I would dump iptables-save to a file, and either grep/awk the file to see if the new rule already exists, OR you could add the new rule to the iptables-save script, run it through `uniq` and re-institute the whole script with iptables-restore.

Sasha

PS - I should have added that, to make sure the script gets back into its proper order, I use cat -n to number the lines first, then uniq it ignoring the first field (the line number), then re-sort it back to its numerical line number, then use cut to remove the line numbers, and THEN it's ready to use again

Sasha

Looks like you want to make some kind dynamic filter of incoming connections.

Have you tried to find any other ways except of "iptables". May be some proxy can do it much better.
Iptables can do it, but may be there are many other better and appropriate for this purpose solutions?

I am not trying to make a filter. All i want is to redirect my clients, once a day(or week,or month, etc) to a page that displays a message.
It just redirects all the client's http traffic to my apache virtual server on port 81. ie - if client wants to access www.google.com they will be redirected to my page, wich ,on enter, executes the command for deleting the iptables redirect rule . There is a button "Continue to requested page" wich takes him to www.google.com. That's my idea. It's a "Message of the day" sistem, if you want.

Hi,

If it is something like motd, that means all the users will be redirected to the same webpage i suppose. In that case, why do you want to use the individual IP of each visitor? I mean, why can't you just use a blanket redirect such as the same rule without using "-s $ip" part? Would that serve your purpose?

Secondly, to add that rule only if it doesn't exist, you can probably call a custom chain as the last rule in your PREROUTING chain, flush the custom chain, and add the rule(s) you want every time.

HTH,
tuxg