From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mart Frauenlob Subject: Re: need help on *nat filter for multiple source IP Date: Mon, 13 Apr 2009 07:05:16 +0200 Message-ID: <49E2C80C.1030406@chello.at> References: <5a7ba2310904122005k6606f6falba0b74b118f42090@mail.gmail.com> Reply-To: netfilter@vger.kernel.org Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <5a7ba2310904122005k6606f6falba0b74b118f42090@mail.gmail.com> Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@vger.kernel.org no doubt wrote: > Hi, > > Currently Im running a gw firewall for internal soho network. > > I would like to achieve that for all IP's in 192.168.4.0/24 that are > accessing outside internet address port 80, will be directed to > 192.168.3.10 port 80 EXCEPT for few IPs namely 192.168.4.10, > 192.168.4.100 and 192.168.4.20 > > my rules in nat filter read like this. > *nat > :PREROUTING ACCEPT [4314:569235] > :POSTROUTING ACCEPT [42:12421] > :OUTPUT ACCEPT [2807:264498] > > iptables -A PREROUTING -s ! 192.168.4.10/32 -d ! 192.168.0.0/16 -i > eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.10 > iptables -A PREROUTING -s ! 192.168.4.20/32 -d ! 192.168.0.0/16 -i > eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.10 > iptables -A PREROUTING -s ! 192.168.4.100/32 -d ! 192.168.0.0/16 -i > eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.10 > > -A POSTROUTING -o ppp+ -j MASQUERADE > COMMIT > > somehoe it doesnt work. but if I left only 1st line, it works. > > is there anything i can modify the rules ? > try this: iptables -t nat -N my_dnat iptables -t nat -A PREROUTING -i eth2 -s 192.168.4.10 -p tcp --dport 80 -j my_dnat [...] iptables -t nat -A my_dnat -j DNAT --to-destination 192.168.3.10 -A POSTROUTING -o ppp+ -j MASQUERADE greets Mart