undefined | Better HN

0 pointsaexaey9y ago0 comments

Sure, if you want to serve TCP reset / ICMP port-unreachable to blocked users, then yes - iptables or external firewall is a more natural way to do it.

But what if you want to serve different content to "blocked" users? i.e. login page, "we're sorry" page, redirect to read-only version of the site, reminder to connect to office VPN, anything like that...

Another example - more than one site on the same (server) IP, and only part of them are (client) IP-restricted.

0 comments

1 comments · 1 top-level

pritambaral9y ago

Considering that firewalls are the best tools to "filter" by IP ranges, I'd suggest this "hack": Reroute the "blocked" packets (my favourite method is DNAT with iptables) to a different webserver which only serves the special pages.

j / k navigate · click thread line to collapse