From: Karina <kgs@acabtu.com.mx>
To: Antony Stone <Antony@Soft-Solutions.co.uk>
Cc: netfilter@lists.netfilter.org
Subject: Re: How to NOT redirect..
Date: Thu, 07 Nov 2002 19:19:24 -0600 [thread overview]
Message-ID: <3DCB111C.E168955C@acabtu.com.mx> (raw)
In-Reply-To: 20021107215631.YSCE3711.mta02-svc.ntlworld.com@there
Thank's a lot...
Now my problem is solved, and it was so easy!!
Regards,
Karina
Antony Stone wrote:
> On Thursday 07 November 2002 6:40 pm, Karina Gómez Salgado wrote:
>
> > Hi, I'm using iptables for redirect requests to port 80 to port 3128 of
> > Squid.
> >
> > But I have a problem, because some of the squid users have trouble
> > accessing certain services through the proxy, i want to this users
> > bypass the proxy when they try to reach certain sites.
> >
> > So How can i deny the redirect ?
> >
> > I've excluded certain users for their source address... making the
> > redirection to the remaining ip addresses.
> >
> > But now i want to send all traffic to squid, all but certain
> > destinations...
> >
> > Is there a way to do that ?
>
> Yes. Depending on how many destination address you do / don't want to
> redirect, you could use any of the following three methods (there are almost
> certainly others as well):
>
> 1. Add a "-d a.b.c.d" to your DNAT rule so that only packets matching the
> destination address get DNATted. You then need one of these rules for each
> destination you want the DNAT to apply to.
>
> 2. Add a "-d ! a.b.c.d" if you want to stop a single destination from being
> DNATted. You can only use one of these rules, otherwise two of them in
> combination will have the same effect as not using "-d ! a.b.c.d" at all.
>
> 3. Use your existing DNAT rule in the PREROUTING nat chain, but insert some
> rules before it which match a destination address using "-d a.b.c.d" and use
> the target "-j ACCEPT" so that these packets bypass the DNAT rule.
>
> Basically suggestion 1 allows you to apply DNAT to as many destination
> addresses as you like; suggestion 2 allows you to exclude one address or
> address range from being DNATted; and suggestion 3 allows you to exclude as
> many addresses or ranges as you want.
>
> Somewhere in this you should be able to achieve your goal.
>
> Antony.
>
> --
>
> Software development can be quick, high-quality, or low-cost.
>
> The customer gets to pick any two out of three.
--
LSCI Karina Gómez Salgado
mailto:kgs@acabtu.com.mx
Systems Administrator & Web Projects Manager
BTU Comunicación, S.A. de C.V.
next prev parent reply other threads:[~2002-11-08 1:19 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-11-07 18:40 How to NOT redirect Karina Gómez Salgado
2002-11-07 21:56 ` Antony Stone
2002-11-08 1:19 ` Karina [this message]
2002-11-07 22:59 ` Anders Fugmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3DCB111C.E168955C@acabtu.com.mx \
--to=kgs@acabtu.com.mx \
--cc=Antony@Soft-Solutions.co.uk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox