From: Karina <kgs@acabtu.com.mx>
To: Antony Stone <Antony@Soft-Solutions.co.uk>
Cc: netfilter@lists.netfilter.org
Subject: Re: How to NOT redirect..
Date: Thu, 07 Nov 2002 19:19:24 -0600 [thread overview]
Message-ID: <3DCB111C.E168955C@acabtu.com.mx> (raw)
In-Reply-To: 20021107215631.YSCE3711.mta02-svc.ntlworld.com@there
Thank's a lot...
Now my problem is solved, and it was so easy!!
Regards,
Karina
Antony Stone wrote:
> On Thursday 07 November 2002 6:40 pm, Karina Gómez Salgado wrote:
>
> > Hi, I'm using iptables for redirect requests to port 80 to port 3128 of
> > Squid.
> >
> > But I have a problem, because some of the squid users have trouble
> > accessing certain services through the proxy, i want to this users
> > bypass the proxy when they try to reach certain sites.
> >
> > So How can i deny the redirect ?
> >
> > I've excluded certain users for their source address... making the
> > redirection to the remaining ip addresses.
> >
> > But now i want to send all traffic to squid, all but certain
> > destinations...
> >
> > Is there a way to do that ?
>
> Yes. Depending on how many destination address you do / don't want to
> redirect, you could use any of the following three methods (there are almost
> certainly others as well):
>
> 1. Add a "-d a.b.c.d" to your DNAT rule so that only packets matching the
> destination address get DNATted. You then need one of these rules for each
> destination you want the DNAT to apply to.
>
> 2. Add a "-d ! a.b.c.d" if you want to stop a single destination from being
> DNATted. You can only use one of these rules, otherwise two of them in
> combination will have the same effect as not using "-d ! a.b.c.d" at all.
>
> 3. Use your existing DNAT rule in the PREROUTING nat chain, but insert some
> rules before it which match a destination address using "-d a.b.c.d" and use
> the target "-j ACCEPT" so that these packets bypass the DNAT rule.
>
> Basically suggestion 1 allows you to apply DNAT to as many destination
> addresses as you like; suggestion 2 allows you to exclude one address or
> address range from being DNATted; and suggestion 3 allows you to exclude as
> many addresses or ranges as you want.
>
> Somewhere in this you should be able to achieve your goal.
>
> Antony.
>
> --
>
> Software development can be quick, high-quality, or low-cost.
>
> The customer gets to pick any two out of three.
--
LSCI Karina Gómez Salgado
mailto:kgs@acabtu.com.mx
Systems Administrator & Web Projects Manager
BTU Comunicación, S.A. de C.V.
next prev parent reply other threads:[~2002-11-08 1:19 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-11-07 18:40 How to NOT redirect Karina Gómez Salgado
2002-11-07 21:56 ` Antony Stone
2002-11-08 1:19 ` Karina [this message]
2002-11-07 22:59 ` Anders Fugmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3DCB111C.E168955C@acabtu.com.mx \
--to=kgs@acabtu.com.mx \
--cc=Antony@Soft-Solutions.co.uk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.