1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Redirect domain request

Discussion in 'Tomato Firmware' started by windozer, Aug 16, 2012.

  1. windozer

    windozer Networkin' Nut Member

    How can I make tomato redirect a url's domain from, for example thepiratebay.se to thepiratebay.se.sixxs.org or aabbcc.com to ddeeff.com?

    (I already searched the tomato sub-forum but couldn't find)
     
  2. shadowken

    shadowken Networkin' Nut Member

    Try this :
    iptables -t nat -I PREROUTING -i br0 -s www.google.com -p tcp --dport 80 -j DNAT --to www.google.ae
     
  3. koitsu

    koitsu Network Guru Member

    The OP should be aware that DNS resolution (for www.google.com, etc.) is done at the time the iptables command is run. www.google.com and other hosts often use either multiple A records, or RR (round-robin) records (meaning every X seconds you get a different A record when trying to resolve the hostname). Proof:

    Code:
    $ dig a www.google.com
    ...
    ;; QUESTION SECTION:
    ;www.google.com.                        IN      A
     
    ;; ANSWER SECTION:
    www.google.com.        249906  IN      CNAME  www.l.google.com.
    www.l.google.com.      205    IN      A      74.125.224.146
    www.l.google.com.      205    IN      A      74.125.224.148
    www.l.google.com.      205    IN      A      74.125.224.147
    www.l.google.com.      205    IN      A      74.125.224.144
    www.l.google.com.      205    IN      A      74.125.224.145
    ...
    
    Code:
    $ dig a www.google.ae
    ...
    ;; QUESTION SECTION:
    ;www.google.ae.                IN      A
     
    ;; ANSWER SECTION:
    www.google.ae.          60      IN      CNAME  www-cctld.l.google.com.
    www-cctld.l.google.com. 276    IN      A      74.125.224.159
    www-cctld.l.google.com. 276    IN      A      74.125.224.152
    www-cctld.l.google.com. 276    IN      A      74.125.224.151
    ...
    
    So, the above iptables rule would basically redirect requests to only one of those IP addresses (not all 5!) for www.google.com to only one of 3 IP addresses for www.google.ae.

    This kind of redirection does not scale nor does it work reliably. Even if you were to add 15 (5*3) iptables rules to cover all cases, if Google changes their IP addresses your rules will stop working correctly.

    There is no effective way to accomplish what the OP wants aside from using an HTTP proxy (squid, mod_proxy in Apache, etc.), and this makes HTTP between client and server very, very slow.

    For those who think using dnsmasq to force a CNAME record for www.google.com lookups to www.google.ae (e.g. lookup of www.google.com returns IN CNAME www.google.ae), this also won't work because HTTP clients include a Host: header in their TCP payload. That has to be re-written, otherwise www.google.ae gets a GET request with a Host: header of www.google.com. You would have to do layer 7 packet rewriting (not filtering, but rewriting) to accomplish this. The HTTP proxy method is a lot easier/saner, but it's slow.
     
  4. windozer

    windozer Networkin' Nut Member

    I go to great lengths (in firefox) to avoid google.ae and use dot-com instead because I'm an expat and the localized google drives me crazy (!!). You're example suggests the opposite : P. I (reversed &) tried it just to see if it works
    iptables -t nat -I PREROUTING -i br0 -s google.ae -p tcp --dport 80 -j DNAT --to google.com
    and i got error
    iptables v1.3.8: Bad IP address `google.com'
    because it's expecting an IP number instead of domain, right?

    My main goal was redirecting thepiratebay.se to thepiratebay.se.sixxs.org (which is ipv6). Iptables command doesn't seem to understand destination ip in ipv6
    iptables -t nat -I PREROUTING -i br0 -s thepiratebay.se -p tcp --dport 80 -j DNAT --to 2620:0:6b0:a:250:56ff:fe99:78f7
    gives an error iptables v1.3.8: Port `0:6b0:a:250:56ff:fe99:78f7' not valid

    I am aware that a domain can resolve to a different IP on a daily (or hourly) basis to handle traffic. Thanks for your example. I avoid the localized google; but you do make a point there about 5 and 3 addresses. On a sidenote, i use WhosIP to get a domain's (ISP) allocated range and also in CIDR format (these remain pretty much same for years). I once got Youtube's CIDR to add it to QOS....in the name of Tomato experiment. Handy tool FYI.

    You're right, an HTTP proxy is most suitable for this. I'll look into a windows one to run locally to make thepiratebay.se to thepiratebay.se.sixxs.org(IPv6). For uTorrent I used to search and replace the tracker domain in the .torrent file...i don't want to do that anymore.
    Also I'm willing to try the dnsmasq way, but I don't know how to add a "rule".
     
  5. koitsu

    koitsu Network Guru Member

    No, I was saying do not try the "dnsmasq method". The Host: header sent from the web browser/client (that includes torrent clients BTW!) will not correlate/match the server that its sent to, which will result in all sorts of strange behaviour (depends on how the webserver itself is configured).

    I wish you had brought up the IPv6 aspect much earlier in the thread. That throws a whole new wrench into the picture and makes things even more complex/difficult to solve.

    You cannot mix IPv4 and IPv6 the way you're trying to (with iptables). The firewall/redirection/etc. stack for IPv4 is 100% separate from the IPv6 stack. Commands: iptables = IPv4, ip6tables = IPv6.

    So what you're trying to do, again, should be done purely with an HTTP proxy. There's really no other way.
     
    windozer likes this.
  6. Azuse

    Azuse LI Guru Member

    If you enable log-queries in the dnsmasq, browse for a bit then perform a cache dump you'll find large services (namely google and amazon) will have about a dozen entries for all their main services. Add the fact quite a few large players share single ips and you get the idea.

    Information on proxy filtering is easy enough to come by, any isp that filters has one :p

    Incidentally optware (http://tomatousb.org/doc:optware) can run a http proxy for redirection and filtering on the router, worth looking into: http://www.linksysinfo.org/index.php?threads/full-optware-package-for-tomato-nd-usb-firmware.31736/
     
    koitsu and windozer like this.

Share This Page