Iptables quota usage and web redirection

Issues related to configuring your network
Post Reply
rtu
Posts: 2
Joined: 2014/03/12 21:02:15

Iptables quota usage and web redirection

Post by rtu » 2014/03/13 14:42:49

Hi, I've been two days trying to solve this issue, but I am getting some problems that I do not understand.
I hope that somebody could help me with this issue.

I have an iptables firewall as a package filter.

Some days ago one of my customers requested me to apply an bandwidth quota for their users.
Once the users reach that quota, they must be redirected to a webpage provided by the client.

In this scenario i've try a lot of possible iptables rules and I got to some certainties and some uncertainties.

My last try:

Code: Select all

iptables -t mangle -I INPUT -m quota ! --quota 2097152 -s 192.168.245.251 -d 192.168.34.1 -p tcp --dport 8080 -j MARK --set-mark 22
I've decided that when I reach to quota 2097152 (2Mb -just for testing-) I start marking traffic

Code: Select all

iptables -I INPUT -m mark --mark 22 -m conntrack --ctstate ESTABLISHED -s 192.168.245.251 -d 192.168.34.1 -p tcp --dport 8080 -j REJECT
If the packet are mark, I reject all established connections.

Code: Select all

iptables -t nat -A PREROUTING -m mark --mark 22 -s 192.168.245.251 -d 192.168.34.1 -p tcp --dport 8080  -j DNAT --to 192.168.33.171:80
And if the packages are marked, I make a redirection.

Checking the Ip-tables flow.. (http://upload.wikimedia.org/wikipedia/c ... t-flow.svg) i get this:

=== [NAT | Pre-routing] == [ Mangle | Input ]== [ Filter | Input ] == >

First Package:

First Flow : [NAT | Pre-routing] No package marked.. No redirecction.
Second Flow: [Mangle | INPUT ] No marks untill I reach 2097152 bytes
Third Flow : [filter | INPUT ] No marks, nothing to drop.

When I reach the quota, first package:

First Flow : [NAT | Pre-routing] Start redirecction

-----------------


Theoretically everything works fine, but it's not happening.

Here is a picture that i will explain:

Image


The two first rules work fine, we can see how te traffic starts to be marked when i reach the quota.

The problem is I am not getting the redirecction, the traffic in the nat table in despite of is marked is not redirected.


Does anyone know what could be the problem?

Sorry for my english.

Kindly Regards,
Rodrigo

rtu
Posts: 2
Joined: 2014/03/12 21:02:15

Re: Iptables quota usage and web redirection

Post by rtu » 2014/03/13 17:05:55

Just to make clear something.. just in case.. in the image, when you see 687K, this is the amount of data over the 2097152 bytes.

the -m quota ! --quota <Value> make the rule 0, untill you reach the <Value>, then starts to count.

Regards,

Post Reply

Return to “CentOS 6 - Networking Support”