# IPTABLES conditional redirect



## networkprosourc (Aug 25, 2008)

I have a couple of tech-savvy users who consistently abuse, or attempt to find ways around our internal firewall policies. We are using IPCop, which is extremely powerful, and I am familiar with creating iptables rules. However, I seem to be stymied by a seemingly simple task. If I wanted to redirect all of my users to OpenDNS, I could enter a command like:

iptables -t nat -I PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to 208.67.222.222

But I don't want to preroute everyone. I want to preroute two users with static IP addresses on the network. I can't take away their local admin rights on their PC, and they are smart enough to figure out how to change the DNS entry in the Network control panel. So I want to CB them at the firewall, which I control and they have no access to whatsoever.

I basically want to do the same as the above iptables rule (which takes ANY dns request destined for any dns server and routes it to OpenDNS, even if the user has control of the DNS controls in network properties - in other words, it doesn't matter what they put in the DNS entry, ANY request is redirected to OpenDNS). But I want to do it for 10.0.30.33 and 10.0.30.90, or better yet (since they might eventually figure out that they can change their IP address, though we have very few available), to do the same with the MAC address (which will never change unless I change out their NIC).

So the flow would be to NAT PREROUTE UDP 53 (DNS) requests by 00:00:00:00:01:02 (or 10.0.30.33) on the green network to 208.67.222.222, completely transparent to them.

Any ideas, or am I stuck with these bungholes surfing at will?

I have tried Advanced Proxy and URLFILTER, and I do use them, but I am tired of playing the game of cat and mouse with these two. 

Any help would be much appreciated!

T.


----------



## grue155 (May 29, 2008)

I understand what you are trying to do, but I work in a different environment (FreeBSD) so my context of the rule structure is different.

From what I understand, you want to have a selective source on your rule. Something like this, as I understand it, using your example:

iptables -t nat -I PREROUTING -i eth0 -p udp --src 10.0.30.33 --dport 53 -j DNAT --to 208.67.222.222

And another rule for the other address. 

What I'm not clear on, is if iptables supports '--src' at that point in the rule flow. I suspect it does, as your example has an implicit 'any' source. You just need to make it explicit. FBSD ipfw would allow something like that, or let me form a specific rule branch for a given address or address table. Iptables can do the work. Its just a question of parameters.


----------



## johnwill (Sep 26, 2002)

How about the simple method? Administrative action by their boss! Normally, such activity is a firing offense at most companies.


----------



## networkprosourc (Aug 25, 2008)

grue155 said:


> I understand what you are trying to do, but I work in a different environment (FreeBSD) so my context of the rule structure is different.
> 
> From what I understand, you want to have a selective source on your rule. Something like this, as I understand it, using your example:
> 
> ...



I had already tried using the --src option, but for some reason, it didn't work. I am beginning to wonder if I need to set up a specific chain for prerouting that is processed before IPCop does its NAT. I will give it a try again this afternoon.

Thanks!



> How about the simple method? Administrative action by their boss! Normally, such activity is a firing offense at most companies.


Without getting into too much detail, it isn't that easy with these two individuals, unfortunately.

Thanks, though!

- T


----------

