- To use a single IP address or address range you supply a subnet mask or use CIDR notation. In my example the ".100/32" CIDR denotes a single host. Your example of a ".100/255.255.255.0" subnet mask should be changed to ".100/255.255.255
.255" to denote the same.
- Netfilter acts on the first rule that applies. Since this filter applies to the whole range you put the ".100/32" exception before the ".0/24".
- If you do not want an IP or range to go through the nat table you have to create a rule in the table the traffic hits before that.
- To troubleshoot Netfilter rule sets it is good to know you can use 0) packet counters ('iptables -t nat -nvx --line-numbers -L POSTROUTING') and 1) "-j LOG" rules to see if packets get triggered by a filter. To apply everything to your above example:
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -s 192.168.100.100/32 -j LOG --log-prefix "IN .100 TCP 80 "
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -s ! 192.168.100.100/32 -j LOG --log-prefix "REDIR .0 TCP 80 "
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -s ! 192.168.100.100/32 -j REDIRECT --to-ports 8080
iptables -t filter -A OUTPUT -s 192.168.100.100/32 -o eth1 -j LOG --log-prefix "OUT .100 "
iptables -t filter -A OUTPUT -s 192.168.100.100/32 -o eth1 -j ACCEPT # Bypass MASQ
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth1 -j LOG --log-prefix "MASQ .0 "
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth1 -j MASQUERADE
Please see the tutorial at archive
http://www.frozentux.net/iptables-tu...-tutorial.html .
