1

Is there a way to match VLAN ids and redirect such http traffic to webserver (?? iptables)? And when at webserver, rewrite URL according to VLAN id?

I would need such thing because our network implements number of VLANs with 802.1x and we would like to show some "banned" users specific web pages.

Thanks for any ideas and insights,

Regards,

zeratul021
  • 359
  • 1
  • 5
  • 18

1 Answers1

0

If your vlans and your ip addressing follow similar boundaries, then I think it might be easiest to use the ip addresses to control the access.

For example: vlan 100 = 10.100.x.y vlan 101 = 10.101.x.y
or even vlan 100 = 10.100.x.[100-119] vlan 101 = 10.100.x.[120-140]

Web servers don't have access to the vlan id from the packet.

You'd then need to craft your web server rules to do things based on the client ip.

==== EDITED: What about just rewriting the dst ip address from the specific vlans to a an extra interface that can do the layer7 rewriting that you want done? It should be invisible to the end user (as long as that filter stays up). Using iptables to modify layer7 data seems expensive.

unixguy
  • 366
  • 1
  • 4
  • Hi, well, essentially i know of 2 ways how to do this. Each vlan tags frames carrying single ip subnet. Then you can set X subinterfaces on linux DNS server and wildcard redirect them to the webserver ip. After that you could setup rewrite rules based on remote address attribute. This works as I have it up and running. Second way, that I'm about to try, is by using ebtables. Ebtables can read vland ids and then mark such matching packets with mod mark. After that you can read those marks in iptables, mangle and redirect such traffic to web server, where before mentioned rewrite rules would do. – zeratul021 Oct 06 '10 at 19:35
  • What I', not sure about is how to setup correct iptables forwarding and mangling so my concept would work. – zeratul021 Oct 06 '10 at 19:36