0

Okay, here we go.. I am using UFW on my Debian 8 server to block all incoming connections on ports 80 and 443, except for those that I have allowed. However, I need to redirect those dropped connections to another IP address (which hosts a website), letting those people know that their connection was denied. I know that there is not a way of doing that with UFW, but can it be done with iptables? (Or any other way for that matter.. I thought iptables could allow that) Note that I do not want to use squid poxy for authentication, mainly because it does not support SNI (for https connections), and is too complicated and extensive for the purpose I have (overkill).

Appreciate any help.

EAdev
  • 11
  • 1

1 Answers1

0

If you want send a visible message to people connecting to your 80 or 443 ports, you need a web server for sending that message. Firewalls only handle restrictions on layer 3 / layer 4. http / https is a layer 7 protocol, and firewall doesn't provide any implementation for that.

So, your option here is to implement this "blocking" behaviour on your web server, which handles the contents for allowed addresses.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • Ahh, depends on the firewall. Some firewalls does indeed support the http protocol, via so-called "deep packet inspection", I don't wanna think about what that does to your connection speeds and CPU usage, though, but the Chinese government is famously doing it on a massive scale – hanshenrik Oct 25 '17 at 21:08
  • What extra value would inspecting http protocol bring to the great firewall, when they can simply block IP addresses of web sites? – Tero Kilkanen Oct 25 '17 at 21:22
  • in order to know which ips to block, they first need to know which ips is badmouthing the chinese government, or running proxies, etc – hanshenrik Oct 26 '17 at 09:58
  • here's an interesting read on trying to bypass the great firewall: http://blog.zorinaq.com/my-experience-with-the-great-firewall-of-china/ – hanshenrik Oct 26 '17 at 09:58
  • The great firewall is of course an interesting topic, but it is off-topic here. And actually the comments are off-topic, since the question was about returning an answer, not simply inspecting which is a different thing. – Tero Kilkanen Oct 26 '17 at 19:27