Forward port 80 for all traffic except to certain host/network
 

I have an application which checks websites for new content, and it runs on several servers. So, to lower bandwidth costs I've put a Squid server in front of them and used iptables to forward all calls on port 80 to it.

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to x.x.x.x:3128

The problem I have is that there are a couple of servers which do other tasks that are dependent on source IP, so they won't accept connections from the Squid server. So, for those ones, I don't want it to forward to Squid.

How would I format my iptables call to forward everything unless the destination address or net is X?

iptables is a bit of a mystery to me.

-d <ip-address> Match destination IP address
http://www.linuxhomenetworking.com/w...Using_iptables

This is a very good guide.

I've read that and I'm still not sure how I should structure the commands.

Perhaps like this?

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to x.x.x.x:3128
iptables -t nat -A OUTPUT -p tcp --dport 80 -d y.y.y.y -j ACCEPT

As an update, I dug through the documentation for iptables and discovered the "-d" parameter will accept a NOT parameter in the form of "!". So the appropriate command is:

iptables -t nat -A OUTPUT -p tcp --dport 80 -d ! y.y.y.y -j DNAT --to x.x.x.x:3128