Multiple iptables exceptions?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jaret <bitgod@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Multiple iptables exceptions?
Date: Thu, 23 Sep 2004 10:08:39 -0500	[thread overview]
Message-ID: <bc9fb38004092308087dc97b87@mail.gmail.com> (raw)

When dealing with iptable rules you can use the "!" exception rule.
For instance...

IPTABLES -t nat -A PREROUTING -s 10.1.1.2 -d ! 207.46.0.0/16 --proto
tcp --dport 80 -j DNAT --to-destination 10.1.1.3:80

That statement will redirect any port 80 traffic from 10.1.1.2 to
10.1.1.3 -unless- it is trying to reach the class B network
207.46.0.0/16. That 207.46.0.0/16 happens to be part of the microsoft
domain, this way the user will only be allowed to go get updates but
will not be allowed to browse online freely. This has been tested and
proven.

So here comes the twist... microsoft does some dns load balancing and
sometimes the update site resolves at 64.4.xx.xx. Ive been digging
through documentation and trying to insert customized rules but I cant
get it to accept anything I try to allow two exception statements...

conceptually what im looking for is something like this...

IPTABLES -t nat -A PREROUTING -s 10.1.1.2 -d ! 207.46.0.0/16,
64.4.0.0/16 --proto tcp --dport 80 -j DNAT --to-destination
10.1.1.3:80

But iptables will not allow the double exception.. well it doesnt
recognize the comma delimit anyways. Like I said I've tried to get
this working a few ways and havent been able to in a single statement
or through multiple statements.

Does anyone out there know a work around for this? Preferably a
solution that stays within IPtables.

Thanks!

next             reply	other threads:[~2004-09-23 15:08 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-09-23 15:08 Jaret [this message]
2004-09-23 15:23 ` Multiple iptables exceptions? Aleksandar Milivojevic
2004-09-23 15:59   ` Abdul-Wahid Paterson
2004-09-23 18:27     ` Jaret

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bc9fb38004092308087dc97b87@mail.gmail.com \
    --to=bitgod@gmail.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.