Pop Quiz Friday – Redirect Users Web Traffic Going Out
This will be the maiden flight of my pop quiz series. I’m going to try and do them at least every other Friday, if not every Friday. I’ll give you until the following Thursday to put your answer in the comments section. Without further delay, here’s today’s quiz.
You have decided that you don’t want users going to GregSowell.com anymore…how unfortunate hehe. Instead of blocking GregSowell.com you want to redirect the users to an internal webserver at IP 192.168.2.2. The internal server will host a page that says something to the affect of “You are not allowed to view this page.” You are using public DNS, so no DNS query trickery 😉 Also, no squid or other proxy services.
I can quickly think of a couple of ways to accomplish this:
One way takes only a single command, but is the most basic.
The second takes 3, but is a little more clever in design.
1. ip firewall nat add chain=dstnat dst-address=2.2.2.2 prot
ocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.2.2 comment=”Redirect any tcp port 80 connection where destination address is 2.2.2.2 to 192.168.2.2
That’s my first option, still thinking about the second.
Andrew,
This was supposed to take you longer than 5 seconds…hehehe. At least the second one is making you think…for at least 10 seconds. 🙂
Basically the same destination nat, but only catch greg’s site as there may be other sites hosted there too. The regex could probably use some more fine tuning, but its workable.
/ip firewall layer7-protocol add comment="We dont like greg" name="Rogaine" regexp="^.*get.+http://[a-zA-Z0-9\.]+gregsowell.com/.*\$"
/ip firewall mangle add action=mark-connection chain=prerouting comment="Get off my lawn" disabled=no dst-address=2.2.2.2 dst-port=80 layer7-protocol="Rogaine" new-connection-mark=NOGREGFORYOU passthrough=no protocol=tcp
/ip firewall nat add action=dst-nat chain=dstnat comment="Greg is a wanker" connection-mark=NOGREGFORYOU disabled=no to-addresses=192.168.2.2
Jimmy,
Oh so close. It would be you that figured out the L7 stuff…hehe.
The mangle rule you should drop the dst-address, because if I change my IP your rule will be invalid.
And in your nat rule, if you wanted to specifically say that 192.168.2.2 can’t get to gregsowell.com, you would put it in the from-addresses spot. Otherwise, if you leave it off, it will catch everyone trying to go to gregsowell.com.
I award you bonus points none the less 😉
Wasn’t a bad guess from not testing anything or even knowing much about networking. I really only posted so I could add in the comments to each command. Hopefully google will index those phrases now.
I was tactfully ignoring your comments…true as they may be…heh. 😛
Jimmy … you the man ! hahaha
Don’t encourage him…
Andrew gets points for step one, and Jimbo Jenkins gets credit for step two. Step 2 all together properly would be this:
That all are only possible using the Hotspot by editing the login page.
Afridi,
You can do something similar with hotspot. You could add an IP exclusion to bypass all users and only send specific individuals to the actual redirect page.
Alternately, I’ve read that MTK will allow you to modify the default webpage that is included in the router, if you have sufficient need. You could always just redirect local then.