Linux – Redirect specific IP address to a another site/page/IP using IPTABLES

Daniel,

Your probably going to want something along the lines of this. This is just cut directly from my /etc/sysconfig/iptables file on Red Hat.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.1.1.0/24 -p tcp -m multiport --dports 22,80,443,5666 -j ACCEPT
-A INPUT -s 10.2.2.2 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
COMMIT

As you can see, the default policy for input is drop. So you don't have to do any specific drop rules. You only have to say what you want to allow. In my example, I have shown where you can do multiple protocols for 1 rule or just a single protocol for 1 rule.

Edit: Below is an example script you can use to create your iptable rules.

#!/bin/bash
# Iptables configuration script

# Flush all current rules from iptables
/sbin/iptables -F

# Loopback address
/sbin/iptables -A INPUT -i lo -j ACCEPT

# Allowed any established connections
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow FTP and SSH from specific IPs
/sbin/iptables -A INPUT -s 10.0.2.0/24 -p tcp -m state --state NEW -m multiport --dports 21,22 -j ACCEPT

# Allow pings from monitoring server
/sbin/iptables -A INPUT -s 1.1.1.1 -p icmp -m icmp --icmp-type any -j ACCEPT

# Allow web server access from anywhere
/sbin/iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

# Drop rules to prevent them from entering the logs
/sbin/iptables -A INPUT -p tcp -m multiport --dports 135,137,138 -j DROP
/sbin/iptables -A INPUT -p udp -m multiport --dports 135,137,138 -j DROP
/sbin/iptables -A INPUT -p all -d 255.255.255.255 -j DROP

# Log dropped traffic
/sbin/iptables -A INPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Dropped Traffic: "

# Set default policies for INPUT, FORWARD and OUTPUT chains
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

# Save settings
/sbin/service iptables save

# List rules
/sbin/iptables -L -v

DNS resolution in IPtables is a little funny. At run time the firewall acts on IP address only, not on domain names. Let's take the process step by step for clarity.

1. You add a rule with: iptables -I FORWARD 1 -p tcp -d dd-wrt.com --dport 80 -j ACCEPT
2. IPtables passes dd-wrt.com to the resolver subsystem.
3. Resolver subsystem returns: 83.141.4.210
4. IPtables modifies and creates rule as: -p tcp -d 83.141.4.210 --dport 80 -j ACCEPT

If the domain name returned multiple addresses, such as www.google.com, then inserts a copy of that rule for each IP address returned. Unless, of course, you use the --replace option in which case multiple returned addresses will cause it to fail.

This lookup only happens when the rule is added. So if dd-wrt.com is moved to a new host then your rule will no longer work correctly. You will have to delete and re-add or restart the firewall to have the new address take effect.

As a result you can simply the implications to mean that you cannot use it to block based on domain name at all. You are only ever blocking on IP address, you may be simply using a domain name to occasionally retrieve the address. Similarly, wild cards won't work either. The hostname *.dd-wrt.com does not have an A record, therefore it cannot be converted into an IP address.

It is generally in your best interest to block or deny based solely on IP address. That way there is no confusion for you, or your staff, on what is supposed to be blocked (or allowed) versus what actually is.