iptables port redirect question

iptables port redirect question

[joydeep]

Hello,

How can I redirect all packets exclude the packets for lan ( 192.168.0.0 ) and
all packets to/from lo (localhost) ?

I have done something like

[.......]

    # Traffic on the loopback interface is accepted.
    iptables -A INPUT -i lo -j ACCEPT

   # Internal network connections are accepted. 
    iptables -A OUTPUT -d 192.168.0.0/255.255.0.0 -j ACCEPT


 iptables -t nat -A OUTPUT ! -o lo -p tcp -m tcp -j REDIRECT --to-ports 8080
 iptables -t filter -A OUTPUT -p tcp -m tcp --dport 8080 -j ACCEPT
 iptables -t filter -A OUTPUT ! -o lo -j DROP

[...............]

But this also redirect all local lan packets naturally, as it compares with lo . How can I combined both lo and local lan ?
Can a customized chain help ?

Thanks

Re: iptables port redirect question

[Michal Kubeček]

On Monday 17 of September 2012 11:03EN, joydeep@infoservices.in wrote:
> Hello,
> 
> How can I redirect all packets exclude the packets for lan (
> 192.168.0.0 ) and all packets to/from lo (localhost) ?
...
> But this also redirect all local lan packets naturally, as it compares
> with lo . How can I combined both lo and local lan ? Can a customized
> chain help ?

Yes, in general, custom chain and RETURN target can help to simulate 
"or" operator. But in your case, you should be able to combine "! -o lo" 
and "! -d 192.168.0.0/16" matches to do what you need.

On the other hand, I prefer to explicitly state what I want to 
masquerade rather than masqeurading everything with some exceptions.

                                                          Michal Kubeèek

Re: iptables port redirect question

[joydeep.bakshi]

On Mon, 17 Sep 2012 08:12:23 +0200
Michal Kubeček <mkubecek@suse.cz> wrote:

> On Monday 17 of September 2012 11:03EN, joydeep@infoservices.in wrote:
> > Hello,
> > 
> > How can I redirect all packets exclude the packets for lan (
> > 192.168.0.0 ) and all packets to/from lo (localhost) ?
> ...
> > But this also redirect all local lan packets naturally, as it compares
> > with lo . How can I combined both lo and local lan ? Can a customized
> > chain help ?
> 
> Yes, in general, custom chain and RETURN target can help to simulate 
> "or" operator. But in your case, you should be able to combine "! -o lo" 
> and "! -d 192.168.0.0/16" matches to do what you need.
> 
> On the other hand, I prefer to explicitly state what I want to 
> masquerade rather than masqeurading everything with some exceptions.
> 
>                                                           Michal Kubeček
> 

Thanks,

Actually my requirement is fulfilled by routing everything excluding lo and
local lan. May be I need to exclude the gmail smtp and pop. But that's all.
Does the "and" operator simply works as you have described ? What should be done
if I go for a custom chain ?

-- regards

Re: iptables port redirect question

[Jan Engelhardt]

On Monday 2012-09-17 09:17, joydeep.bakshi@infoservices.in wrote:
>
>Actually my requirement is fulfilled by routing everything excluding lo and
>local lan.

Routing is always performed by definition.
(Packets are routed, interfaces are not.)