Multiple iptables exceptions?

Multiple iptables exceptions?

[Jaret]

When dealing with iptable rules you can use the "!" exception rule.
For instance...

IPTABLES -t nat -A PREROUTING -s 10.1.1.2 -d ! 207.46.0.0/16 --proto
tcp --dport 80 -j DNAT --to-destination 10.1.1.3:80

That statement will redirect any port 80 traffic from 10.1.1.2 to
10.1.1.3 -unless- it is trying to reach the class B network
207.46.0.0/16. That 207.46.0.0/16 happens to be part of the microsoft
domain, this way the user will only be allowed to go get updates but
will not be allowed to browse online freely. This has been tested and
proven.

So here comes the twist... microsoft does some dns load balancing and
sometimes the update site resolves at 64.4.xx.xx. Ive been digging
through documentation and trying to insert customized rules but I cant
get it to accept anything I try to allow two exception statements...

conceptually what im looking for is something like this...

IPTABLES -t nat -A PREROUTING -s 10.1.1.2 -d ! 207.46.0.0/16,
64.4.0.0/16 --proto tcp --dport 80 -j DNAT --to-destination
10.1.1.3:80

But iptables will not allow the double exception.. well it doesnt
recognize the comma delimit anyways. Like I said I've tried to get
this working a few ways and havent been able to in a single statement
or through multiple statements.

Does anyone out there know a work around for this? Preferably a
solution that stays within IPtables.

Thanks!

Re: Multiple iptables exceptions?

[Aleksandar Milivojevic]

Jaret wrote:
> conceptually what im looking for is something like this...
> 
> IPTABLES -t nat -A PREROUTING -s 10.1.1.2 -d ! 207.46.0.0/16,
> 64.4.0.0/16 --proto tcp --dport 80 -j DNAT --to-destination
> 10.1.1.3:80

You can try using user defined chain.  Add source, protocol and port 
options back into three PREROUTING rules, I left them out for clarity:

iptables -t nat -N MS
iptables -t nat -A MS -j ACCEPT
iptables -t nat -A PREROUTING -d 207.46.0.0/16 -j MS
iptables -t nat -A PREROUTING -d 64.4.0.0/16 -j MS
iptables -t nat -A PREROUTING -j DNAT --to-destination 10.1.1.3:80

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: Multiple iptables exceptions?

[Abdul-Wahid Paterson]

I think it is better to do it this way incase there are other rules
that need to be traversed in the PREROUTING chain.

iptables -t nat -N MS
iptables -t nat -A MS -d 207.46.0.0/16 -j RETURN
iptables -t nat -A MS -d 64,4,0,0/16 -j RETURN
iptables -t nat -A MS -j DNAT --to-destination 10.1.1.3:80
iptables -t nat -A PREROUTING -j MS

Regards,

Abdul-Wahid


On Thu, 23 Sep 2004 10:23:39 -0500, Aleksandar Milivojevic
<amilivojevic@pbl.ca> wrote:
> Jaret wrote:
> > conceptually what im looking for is something like this...
> >
> > IPTABLES -t nat -A PREROUTING -s 10.1.1.2 -d ! 207.46.0.0/16,
> > 64.4.0.0/16 --proto tcp --dport 80 -j DNAT --to-destination
> > 10.1.1.3:80
> 
> You can try using user defined chain.  Add source, protocol and port
> options back into three PREROUTING rules, I left them out for clarity:
> 
> iptables -t nat -N MS
> iptables -t nat -A MS -j ACCEPT
> iptables -t nat -A PREROUTING -d 207.46.0.0/16 -j MS
> iptables -t nat -A PREROUTING -d 64.4.0.0/16 -j MS
> iptables -t nat -A PREROUTING -j DNAT --to-destination 10.1.1.3:80
> 
> --
> Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
> Systems Administrator                           1499 Buffalo Place
> Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7
> 
>

Re: Multiple iptables exceptions?

[Jaret]

Listserves are a beautiful thing.  Thanks for the help guys.  Worked.


On Thu, 23 Sep 2004 16:59:52 +0100, Abdul-Wahid Paterson
<abdulwahid@gmail.com> wrote:
> I think it is better to do it this way incase there are other rules
> that need to be traversed in the PREROUTING chain.
> 
> iptables -t nat -N MS
> iptables -t nat -A MS -d 207.46.0.0/16 -j RETURN
> iptables -t nat -A MS -d 64,4,0,0/16 -j RETURN
> iptables -t nat -A MS -j DNAT --to-destination 10.1.1.3:80
> iptables -t nat -A PREROUTING -j MS
> 
> Regards,
> 
> Abdul-Wahid
> 
> On Thu, 23 Sep 2004 10:23:39 -0500, Aleksandar Milivojevic
> 
> 
> <amilivojevic@pbl.ca> wrote:
> > Jaret wrote:
> > > conceptually what im looking for is something like this...
> > >
> > > IPTABLES -t nat -A PREROUTING -s 10.1.1.2 -d ! 207.46.0.0/16,
> > > 64.4.0.0/16 --proto tcp --dport 80 -j DNAT --to-destination
> > > 10.1.1.3:80
> >
> > You can try using user defined chain.  Add source, protocol and port
> > options back into three PREROUTING rules, I left them out for clarity:
> >
> > iptables -t nat -N MS
> > iptables -t nat -A MS -j ACCEPT
> > iptables -t nat -A PREROUTING -d 207.46.0.0/16 -j MS
> > iptables -t nat -A PREROUTING -d 64.4.0.0/16 -j MS
> > iptables -t nat -A PREROUTING -j DNAT --to-destination 10.1.1.3:80
> >
> > --
> > Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
> > Systems Administrator                           1499 Buffalo Place
> > Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7
> >
> >
> 
>