Hi there, and welcome.
I tried to emulate your problem, and I couldn't. Regarding the DNAT in general, a few comments & questions:
- Are you testing from this server, or from a different client machine? This may affect routing on the server (PREROUTING vs OUTPUT chains).
- Which client software are you using to test? With you specific example (redirecting to Google), Google's own redirects play a role too, which may break what you're trying here.
- Some browsers may also influence what happens (with their own DNS caching etc???). For me, Firefox was problematic, but other browsers worked - might just be some of my plugins though.
- I testing successfully with a simpler setup - "links" as browser, or "telnet" test, to a destination that doesn't try and redirect me
Regarding your goal to monitor traffic, a few thoughts:
- If you only want to monitor and block traffic, you don't need the DNAT. Simply routing all clients through your server, and using the MASQUERADE should do the trick. In other words, a client that uses 80.80.80.80 as its gateway, and connects to
http://www.google.com/ (rather than
http://80.80.80.80:100/) can still be managed by you. Simply log the traffic, and block what you don't want to allow.
- With websites running on virtual hosts, IP address based DNAT or filtering won't work. Firstly, connecting by IP rather than name won't give you the correct site, and secondly this will block / allow all sites on that IP, rather than specific sites.
- A proxy server (like
http://www.squid-cache.org/) might therefore be a better solution to your problem.
I hope this helps.
Regards,
Clifford