LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 09-01-2010, 11:06 AM   #1
please
Member
 
Registered: Apr 2007
Posts: 195

Rep: Reputation: 30
Skip REdirect


Dear All

Now I am running redirect by following

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A POSTROUTING -s 192.168.100.0/255.255.255.0 -o eth1 -j MASQUERADE


I want to skip one of ip address for redirect.

Example: 192.168.100.100 want to use NAT only.

Can you advice me sir?
Thanks
 
Old 09-04-2010, 06:21 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,810
Blog Entries: 54

Rep: Reputation: 2986Reputation: 2986Reputation: 2986Reputation: 2986Reputation: 2986Reputation: 2986Reputation: 2986Reputation: 2986Reputation: 2986Reputation: 2986Reputation: 2986
To exclude one IP address from an iptables rule use an exclamation mark: '-s ! 192.168.100.100/32'.
 
Old 09-05-2010, 01:33 AM   #3
please
Member
 
Registered: Apr 2007
Posts: 195

Original Poster
Rep: Reputation: 30
Hi

Like that ?

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A POSTROUTING -s 192.168.100.0/255.255.255.0 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s ! 192.168.100.100/255.255.255.0 -o eth1 -j MASQUERADE

Thanks
 
Old 09-05-2010, 05:47 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,810
Blog Entries: 54

Rep: Reputation: 2986Reputation: 2986Reputation: 2986Reputation: 2986Reputation: 2986Reputation: 2986Reputation: 2986Reputation: 2986Reputation: 2986Reputation: 2986Reputation: 2986
- To use a single IP address or address range you supply a subnet mask or use CIDR notation. In my example the ".100/32" CIDR denotes a single host. Your example of a ".100/255.255.255.0" subnet mask should be changed to ".100/255.255.255.255" to denote the same.
- Netfilter acts on the first rule that applies. Since this filter applies to the whole range you put the ".100/32" exception before the ".0/24".
- If you do not want an IP or range to go through the nat table you have to create a rule in the table the traffic hits before that.
- To troubleshoot Netfilter rule sets it is good to know you can use 0) packet counters ('iptables -t nat -nvx --line-numbers -L POSTROUTING') and 1) "-j LOG" rules to see if packets get triggered by a filter. To apply everything to your above example:

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -s 192.168.100.100/32 -j LOG --log-prefix "IN .100 TCP 80 "
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -s ! 192.168.100.100/32 -j LOG --log-prefix "REDIR .0 TCP 80 "
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -s ! 192.168.100.100/32 -j REDIRECT --to-ports 8080
iptables -t filter -A OUTPUT -s 192.168.100.100/32 -o eth1 -j LOG --log-prefix "OUT .100 "
iptables -t filter -A OUTPUT -s 192.168.100.100/32 -o eth1 -j ACCEPT # Bypass MASQ
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth1 -j LOG --log-prefix "MASQ .0 "
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth1 -j MASQUERADE

Please see the tutorial at archive http://www.frozentux.net/iptables-tu...-tutorial.html .
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
don't skip my post iconicmoronic Linux From Scratch 16 09-05-2008 12:50 PM
how do i skip e2fsck? murrowman789 Slackware 8 07-20-2005 06:25 PM
skip init lord_zoo Linux - General 4 05-19-2005 11:30 AM
did i skip ahead? American Psycho Linux From Scratch 0 04-21-2004 01:28 AM
why does my sound skip bastupungen Linux - Software 7 11-22-2003 09:11 PM


All times are GMT -5. The time now is 12:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration