Redirect incoming https to local ip with iptables

networking firewall ssl iptables https
10,833

Just filter based on the destination address:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d $PUBLIC_IP -m conntrack --ctstate NEW -j DNAT --to-destination 192.168.1.2:443

If the public IP is dynamic, you will need to add hooks to the DHCP client script to update this rule when your IP address changes. You may also use IP sets to change the IP address to check without changing your rule.

Another less perfect solution is to use the addrtype module. This modules makes a check on the routing table to determine what type of routing entry the address has. the LOCAL type can be used to check if this IP is the host's.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -m addrtype --dst-type LOCAL  -m conntrack --ctstate NEW -j DNAT --to-destination 192.168.1.2:443

Note that this solution also redirect connections to 192.168.1.1 and 127.0.0.1 or any IP address that your host have. You can exclude destination addresses by adding a simple ! -d 192.168.1.1 match to the rule.

Share:
10,833

Related videos on Youtube

AnttiQ
Author by

AnttiQ

Updated on September 18, 2022

Comments

  • AnttiQ
    AnttiQ over 1 year

    I have a router with 1 network interface (eth0, public ip) and an alias for eth0:0, local ip 192.168.1.1.

    I want to redirect all incoming https (443) traffic to another server. I tried it with

    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -m conntrack --ctstate NEW -j DNAT --to-destination 192.168.1.2:443 and it works. All traffic coming to my public ip's ssl port is redirected to 192.168.1.2.

    But the main problem is this; now all https traffic from my local lan to the internet is also redirected to that local ip, eg. https://facebook.com and 192.168.1.2 answers. How should I fix my configuration in order to make it work?

  • AnttiQ
    AnttiQ almost 11 years
    Thnx for your quick reply. How can I use -o with PREROUTING? At least iptables 1.4.12 does not accept it? But everything now works with --dst-type LOCAL :)
  • BatchyX
    BatchyX almost 11 years
    @AnttiQ: Sorry i mean -d, not -o. Fixed.
  • Craig McQueen
    Craig McQueen over 7 years
    Why is using addrtype module less perfect? This option sounds more reliable to me, because it doesn't need a separately defined $PUBLIC_IP which might be wrong (especially when using DHCP to get IP address).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SSL Certificate for multiple servers
How can I allow ssh connection from an IP subnet on port 10022 using iptables?
Correct way to masquerade IP in iptables
iptables allow just internet connection
How to configure iptables file to allow only specific ipaddress on all port and deny all other ipaddress?
ufw firewall deny outgoing but allow browser
Warning: iptables-legacy tables present
Forwarding ports with iptables not working?
Configure UFW to allow only established and related conections (on IPv4)
Where are iptables's rulesets stored on Ubuntu 12.04?