* PREROUTING exclude
@ 2002-09-05 12:50 Scott Ainslie
2002-09-05 13:01 ` Antony Stone
2002-09-05 13:09 ` Anders Fugmann
0 siblings, 2 replies; 3+ messages in thread
From: Scott Ainslie @ 2002-09-05 12:50 UTC (permalink / raw)
To: netfilter
I want the following rule to work for all machines on my subnet except for
192.168.0.4. How do I exclude this single machine from this rule?
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp \
-s 192.168.0.0/24 \
-d 0/0 --dport 80 \
-j DNAT --to 192.168.0.4:3128
_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: PREROUTING exclude
2002-09-05 12:50 PREROUTING exclude Scott Ainslie
@ 2002-09-05 13:01 ` Antony Stone
2002-09-05 13:09 ` Anders Fugmann
1 sibling, 0 replies; 3+ messages in thread
From: Antony Stone @ 2002-09-05 13:01 UTC (permalink / raw)
To: netfilter
On Thursday 05 September 2002 1:50 pm, Scott Ainslie wrote:
> I want the following rule to work for all machines on my subnet except for
> 192.168.0.4. How do I exclude this single machine from this rule?
>
> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp \
> -s 192.168.0.0/24 \
> -d 0/0 --dport 80 \
> -j DNAT --to 192.168.0.4:3128
Put the following rule before the one above:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -s 192.168.0.4 -j
ACCEPT
In other words, match the machine you do not want to be translated, and use
the ACCEPT target to stop processing further rules for this machine.
Antony.
--
If at first you don't succeed, destroy all the evidence that you tried.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: PREROUTING exclude
2002-09-05 12:50 PREROUTING exclude Scott Ainslie
2002-09-05 13:01 ` Antony Stone
@ 2002-09-05 13:09 ` Anders Fugmann
1 sibling, 0 replies; 3+ messages in thread
From: Anders Fugmann @ 2002-09-05 13:09 UTC (permalink / raw)
To: Scott Ainslie; +Cc: netfilter
Scott Ainslie wrote:
> I want the following rule to work for all machines on my subnet except
> for 192.168.0.4. How do I exclude this single machine from this rule?
>
> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp \
> -s 192.168.0.0/24 \
> -d 0/0 --dport 80 \
> -j DNAT --to 192.168.0.4:3128
>
The general "all but some" case, can be done by making a new chain, and
implement fall-through in this chain.
Given the above example you could do:
iptables -t nat -N DNAT_INT
iptables -t nat -A DNAT_INT -s 192.168.0.4 -j RETURN
iptables -t nat -A DNAT_INT -j DNAT --to 192.168.0.4:3128
iptables -t nat -A PREROUTING -s 192.168.0.0/24 --dport 80 -J DNAT_INT
Or somthing in the likes of that. (I removed the -d 0/0, since its
redundant = default, and I would also suggest adding and interface
constraint, just to be sure).
Regards
Anders Fugmann
--
Author of FIAIF
FIAIF Is An Intelligent Firewall
http://fiaif.fugmann.dhs.org
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-09-05 13:09 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-09-05 12:50 PREROUTING exclude Scott Ainslie
2002-09-05 13:01 ` Antony Stone
2002-09-05 13:09 ` Anders Fugmann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox