Redirect domain request

Discussion in 'Tomato Firmware' started by windozer, Aug 16, 2012.

  1. windozer

    windozer LI Guru Member

    How can I make tomato redirect a url's domain from, for example to or to

    (I already searched the tomato sub-forum but couldn't find)
  2. shadowken

    shadowken Networkin' Nut Member

    Try this :
    iptables -t nat -I PREROUTING -i br0 -s -p tcp --dport 80 -j DNAT --to
  3. koitsu

    koitsu Network Guru Member

    The OP should be aware that DNS resolution (for, etc.) is done at the time the iptables command is run. and other hosts often use either multiple A records, or RR (round-robin) records (meaning every X seconds you get a different A record when trying to resolve the hostname). Proof:

    $ dig a
    ;                        IN      A
    ;; ANSWER SECTION:        249906  IN      CNAME      205    IN      A      205    IN      A      205    IN      A      205    IN      A      205    IN      A
    $ dig a
    ;                IN      A
    ;; ANSWER SECTION:          60      IN      CNAME 276    IN      A 276    IN      A 276    IN      A
    So, the above iptables rule would basically redirect requests to only one of those IP addresses (not all 5!) for to only one of 3 IP addresses for

    This kind of redirection does not scale nor does it work reliably. Even if you were to add 15 (5*3) iptables rules to cover all cases, if Google changes their IP addresses your rules will stop working correctly.

    There is no effective way to accomplish what the OP wants aside from using an HTTP proxy (squid, mod_proxy in Apache, etc.), and this makes HTTP between client and server very, very slow.

    For those who think using dnsmasq to force a CNAME record for lookups to (e.g. lookup of returns IN CNAME, this also won't work because HTTP clients include a Host: header in their TCP payload. That has to be re-written, otherwise gets a GET request with a Host: header of You would have to do layer 7 packet rewriting (not filtering, but rewriting) to accomplish this. The HTTP proxy method is a lot easier/saner, but it's slow.
  4. windozer

    windozer LI Guru Member

    I go to great lengths (in firefox) to avoid and use dot-com instead because I'm an expat and the localized google drives me crazy (!!). You're example suggests the opposite : P. I (reversed &) tried it just to see if it works
    iptables -t nat -I PREROUTING -i br0 -s -p tcp --dport 80 -j DNAT --to
    and i got error
    iptables v1.3.8: Bad IP address `'
    because it's expecting an IP number instead of domain, right?

    My main goal was redirecting to (which is ipv6). Iptables command doesn't seem to understand destination ip in ipv6
    iptables -t nat -I PREROUTING -i br0 -s -p tcp --dport 80 -j DNAT --to 2620:0:6b0:a:250:56ff:fe99:78f7
    gives an error iptables v1.3.8: Port `0:6b0:a:250:56ff:fe99:78f7' not valid

    I am aware that a domain can resolve to a different IP on a daily (or hourly) basis to handle traffic. Thanks for your example. I avoid the localized google; but you do make a point there about 5 and 3 addresses. On a sidenote, i use WhosIP to get a domain's (ISP) allocated range and also in CIDR format (these remain pretty much same for years). I once got Youtube's CIDR to add it to the name of Tomato experiment. Handy tool FYI.

    You're right, an HTTP proxy is most suitable for this. I'll look into a windows one to run locally to make to For uTorrent I used to search and replace the tracker domain in the .torrent file...i don't want to do that anymore.
    Also I'm willing to try the dnsmasq way, but I don't know how to add a "rule".
  5. koitsu

    koitsu Network Guru Member

    No, I was saying do not try the "dnsmasq method". The Host: header sent from the web browser/client (that includes torrent clients BTW!) will not correlate/match the server that its sent to, which will result in all sorts of strange behaviour (depends on how the webserver itself is configured).

    I wish you had brought up the IPv6 aspect much earlier in the thread. That throws a whole new wrench into the picture and makes things even more complex/difficult to solve.

    You cannot mix IPv4 and IPv6 the way you're trying to (with iptables). The firewall/redirection/etc. stack for IPv4 is 100% separate from the IPv6 stack. Commands: iptables = IPv4, ip6tables = IPv6.

    So what you're trying to do, again, should be done purely with an HTTP proxy. There's really no other way.
    windozer likes this.
  6. Azuse

    Azuse LI Guru Member

    If you enable log-queries in the dnsmasq, browse for a bit then perform a cache dump you'll find large services (namely google and amazon) will have about a dozen entries for all their main services. Add the fact quite a few large players share single ips and you get the idea.

    Information on proxy filtering is easy enough to come by, any isp that filters has one :p

    Incidentally optware ( can run a http proxy for redirection and filtering on the router, worth looking into:
    koitsu and windozer like this.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice