Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 02-18-2015, 06:27 PM   #1
Registered: Jan 2005
Posts: 46

Rep: Reputation: 15
iptables nat rule that excludes one ip source?

Currently, all my lan's traffic get filtered through dansguardian because I have the following as the last rule in iptables' nat PREROUTING chain:
--append PREROUTING  --protocol tcp --match tcp --dport   80 --jump REDIRECT --to-ports 8080
I have diagnosed that even when dansguardian is set to “Unrestricted”, the combination of squid and dansguardian breaks a critical application on host

All other traffic is fine, so I just want that one workstation NOT to be redirected. Yeah, I tried to RTFM, but I cannot get the correct form for "all tcp port 80 traffic unless source is"

So can someone help me with the correct rule, or provide a rule to skip the rest of the chain if the source is a particular IP?

Old 02-18-2015, 06:54 PM   #2
Ser Olmy
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,347

Rep: Reputation: Disabled
Have you tried the ! negation operator? Try adding ! -s to the rule.
Old 02-18-2015, 08:05 PM   #3
Registered: Jan 2005
Posts: 46

Original Poster
Rep: Reputation: 15
That's what I tried first.
--append PREROUTING --protocol tcp --match tcp --dport 80 ! -s --jump REDIRECT --to-ports 8080

broke all our LAN's web traffic, so I don't know if I was on the right track. Could have been the order, but trial and error is really expensive in my case, that's why I'm posting
Old 02-19-2015, 01:09 PM   #4
Registered: Jan 2005
Posts: 46

Original Poster
Rep: Reputation: 15
Sleeping on the problem helped, and I think I figured out how to do it. To skip the last rule, which redirects web packects to my proxy, I inserted the following as the second-to-last rule:

--append PREROUTING  --source --jump RETURN
as the man page says...
RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Trying the NAT source ip and mac addresses with iptables fedaim Linux - Networking 1 08-18-2014 03:20 PM
why the heck is this iptables mac-source rule failing on 1 machine only? psycroptic Linux - Networking 10 12-22-2013 01:23 PM
[SOLVED] iptables - NAT - multiple source exclusions for DNAT morphix Linux - Security 3 11-05-2013 04:53 AM
iptables nat port forwarding rule set crowhurst01 Linux - Networking 2 02-13-2012 03:39 AM
Iptables rule for SMTP on NAT mblames Linux - Networking 4 02-15-2007 11:08 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:32 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration