multiple exclusive DNAT does not work

multiple exclusive DNAT does not work

[Aleksei Bebinov]

Hi all,
tinkering with OpenWRT router ( Kamikaze 7.09) and need so finctionality :
1. all the web traffic thet flow throw router and masquerading have to
be forwarded to external proxy
2.but i have 22 subnets of my local ISPs that have to flow directly
without proxyng.

I do so :
---------------
cat /etc/config/kg-nets | while read LINE
do
#iptables -t nat -A PREROUTING -i br-lan -d  !  $LINE -p tcp -m
multiport --dports  80 -j DNAT --to-destination pr.oxy.ip:3128

done
--------------------------------------------

My script cat the file line by line and add excluding rules ( with ! )
of nets that i dont need to redirect.
BUT!
if only one rule ( for one subnet) persist in table - it works fine, and
if i ll add second  - with second net -  all the traffic redirecting to
proxy - without any  exclusions.

i cant understand  why ?
Could somebody help me please ?

Thanks in advance,
Aleksei

Re: multiple exclusive DNAT does not work

[Leonardo Rodrigues Magalhães]

Aleksei Bebinov escreveu:
> I do so :
> ---------------
> cat /etc/config/kg-nets | while read LINE
> do
> #iptables -t nat -A PREROUTING -i br-lan -d  !  $LINE -p tcp -m
> multiport --dports  80 -j DNAT --to-destination pr.oxy.ip:3128
>
> done
> --------------------------------------------
>
> My script cat the file line by line and add excluding rules ( with ! )
> of nets that i dont need to redirect.
> BUT!
> if only one rule ( for one subnet) persist in table - it works fine, and
> if i ll add second  - with second net -  all the traffic redirecting to
> proxy - without any  exclusions.
>
>   

    wrong rule for your needs. Maybe:

for LINE in `cat /etc/config/kg-nets`; do
    iptables -t nat -A PREROUTING -i br-lan -d $LINE -p tcp --dport 80 
-j ACCEPT
done
iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DNAT 
--to-destination pr.oxy.ip:3128

    will do it.

    if someone asks me ONE single tip for making iptables easier, i 
would say "do NOT use negation rules, those with !" ..... they work just 
fine, but people rarely understands that it wont allow multiple 
exclusions and will keep fighting with that. Anyway, anything done with 
negation rules can be written in other single (and easier to understood) 
rules.




-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it

Re: multiple exclusive DNAT does not work

[Aleksei Bebinov]

Thanks Leonardo.
It works fine, and its some different than OBSD PF :-)



Leonardo Rodrigues Magalhães пишет:
>
>
> Aleksei Bebinov escreveu:
>> I do so :
>> ---------------
>> cat /etc/config/kg-nets | while read LINE
>> do
>> #iptables -t nat -A PREROUTING -i br-lan -d  !  $LINE -p tcp -m
>> multiport --dports  80 -j DNAT --to-destination pr.oxy.ip:3128
>>
>> done
>> --------------------------------------------
>>
>> My script cat the file line by line and add excluding rules ( with ! )
>> of nets that i dont need to redirect.
>> BUT!
>> if only one rule ( for one subnet) persist in table - it works fine, and
>> if i ll add second  - with second net -  all the traffic redirecting to
>> proxy - without any  exclusions.
>>
>>   
>
>    wrong rule for your needs. Maybe:
>
> for LINE in `cat /etc/config/kg-nets`; do
>    iptables -t nat -A PREROUTING -i br-lan -d $LINE -p tcp --dport 80
> -j ACCEPT
> done
> iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DNAT
> --to-destination pr.oxy.ip:3128
>
>    will do it.
>
>    if someone asks me ONE single tip for making iptables easier, i
> would say "do NOT use negation rules, those with !" ..... they work
> just fine, but people rarely understands that it wont allow multiple
> exclusions and will keep fighting with that. Anyway, anything done
> with negation rules can be written in other single (and easier to
> understood) rules.
>
>
>
>