Skip to content
Feb 5 / Greg

Pop Quiz Friday – Redirect Users Web Traffic Going Out

This will be the maiden flight of my pop quiz series. I’m going to try and do them at least every other Friday, if not every Friday. I’ll give you until the following Thursday to put your answer in the comments section. Without further delay, here’s today’s quiz.

You have decided that you don’t want users going to GregSowell.com anymore…how unfortunate hehe. Instead of blocking GregSowell.com you want to redirect the users to an internal webserver at IP 192.168.2.2. The internal server will host a page that says something to the affect of “You are not allowed to view this page.” You are using public DNS, so no DNS query trickery 😉 Also, no squid or other proxy services.

I can quickly think of a couple of ways to accomplish this:
One way takes only a single command, but is the most basic.
The second takes 3, but is a little more clever in design.

11 Comments

leave a comment
  1. omegatron / Feb 5 2010

    1. ip firewall nat add chain=dstnat dst-address=2.2.2.2 prot
    ocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.2.2 comment=”Redirect any tcp port 80 connection where destination address is 2.2.2.2 to 192.168.2.2

    That’s my first option, still thinking about the second.

  2. Greg / Feb 5 2010

    Andrew,

    This was supposed to take you longer than 5 seconds…hehehe. At least the second one is making you think…for at least 10 seconds. 🙂

  3. Jimmy / Feb 5 2010

    Basically the same destination nat, but only catch greg’s site as there may be other sites hosted there too. The regex could probably use some more fine tuning, but its workable.

    /ip firewall layer7-protocol add comment="We dont like greg" name="Rogaine" regexp="^.*get.+http://[a-zA-Z0-9\.]+gregsowell.com/.*\$"
    /ip firewall mangle add action=mark-connection chain=prerouting comment="Get off my lawn" disabled=no dst-address=2.2.2.2 dst-port=80 layer7-protocol="Rogaine" new-connection-mark=NOGREGFORYOU passthrough=no protocol=tcp
    /ip firewall nat add action=dst-nat chain=dstnat comment="Greg is a wanker" connection-mark=NOGREGFORYOU disabled=no to-addresses=192.168.2.2

  4. Greg / Feb 5 2010

    Jimmy,

    Oh so close. It would be you that figured out the L7 stuff…hehe.

    The mangle rule you should drop the dst-address, because if I change my IP your rule will be invalid.

    And in your nat rule, if you wanted to specifically say that 192.168.2.2 can’t get to gregsowell.com, you would put it in the from-addresses spot. Otherwise, if you leave it off, it will catch everyone trying to go to gregsowell.com.

    I award you bonus points none the less 😉

  5. Jimmy / Feb 5 2010

    Wasn’t a bad guess from not testing anything or even knowing much about networking. I really only posted so I could add in the comments to each command. Hopefully google will index those phrases now.

  6. Greg / Feb 5 2010

    I was tactfully ignoring your comments…true as they may be…heh. 😛

  7. Bagus / Feb 10 2010

    Jimmy … you the man ! hahaha

  8. Greg / Feb 11 2010

    Don’t encourage him…

  9. Greg / Feb 11 2010

    Andrew gets points for step one, and Jimbo Jenkins gets credit for step two. Step 2 all together properly would be this:

    1
    2
    3
    
    /ip firewall layer7-protocol add comment="We dont like greg" name="Rogaine" regexp="^.*get.+http://[a-zA-Z0-9\.]+gregsowell.com/.*\$"
    /ip firewall mangle add action=mark-connection chain=prerouting comment="Get off my lawn" disabled=no dst-port=80 layer7-protocol="Rogaine" new-connection-mark=NOGREGFORYOU passthrough=yes protocol=tcp
    /ip firewall nat add action=dst-nat chain=dstnat comment="Greg is a wanker" connection-mark=NOGREGFORYOU disabled=no to-addresses=192.168.2.2
  10. Afridi / Feb 13 2010

    That all are only possible using the Hotspot by editing the login page.

  11. Greg / Feb 15 2010

    Afridi,

    You can do something similar with hotspot. You could add an IP exclusion to bypass all users and only send specific individuals to the actual redirect page.

    Alternately, I’ve read that MTK will allow you to modify the default webpage that is included in the router, if you have sufficient need. You could always just redirect local then.

Leave a Comment

*