LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-18-2015, 06:27 PM   #1
charlweed
Member
 
Registered: Jan 2005
Posts: 46

Rep: Reputation: 15
iptables nat rule that excludes one ip source?


Currently, all my lan's traffic get filtered through dansguardian because I have the following as the last rule in iptables' nat PREROUTING chain:
Code:
--append PREROUTING  --protocol tcp --match tcp --dport   80 --jump REDIRECT --to-ports 8080
I have diagnosed that even when dansguardian is set to “Unrestricted”, the combination of squid and dansguardian breaks a critical application on host 192.168.0.8.

All other traffic is fine, so I just want that one workstation NOT to be redirected. Yeah, I tried to RTFM, but I cannot get the correct form for "all tcp port 80 traffic unless source is 192.168.0.8"

So can someone help me with the correct rule, or provide a rule to skip the rest of the chain if the source is a particular IP?

Thanks!
 
Old 02-18-2015, 06:54 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,347

Rep: Reputation: Disabled
Have you tried the ! negation operator? Try adding ! -s 192.168.0.8/32 to the rule.
 
Old 02-18-2015, 08:05 PM   #3
charlweed
Member
 
Registered: Jan 2005
Posts: 46

Original Poster
Rep: Reputation: 15
That's what I tried first.
--append PREROUTING --protocol tcp --match tcp --dport 80 ! -s 192.168.0.8/32 --jump REDIRECT --to-ports 8080

broke all our LAN's web traffic, so I don't know if I was on the right track. Could have been the order, but trial and error is really expensive in my case, that's why I'm posting
 
Old 02-19-2015, 01:09 PM   #4
charlweed
Member
 
Registered: Jan 2005
Posts: 46

Original Poster
Rep: Reputation: 15
Sleeping on the problem helped, and I think I figured out how to do it. To skip the last rule, which redirects web packects to my proxy, I inserted the following as the second-to-last rule:

Code:
--append PREROUTING  --source 192.168.0.8 --jump RETURN
as the man page says...
RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Trying the NAT source ip and mac addresses with iptables fedaim Linux - Networking 1 08-18-2014 03:20 PM
why the heck is this iptables mac-source rule failing on 1 machine only? psycroptic Linux - Networking 10 12-22-2013 01:23 PM
[SOLVED] iptables - NAT - multiple source exclusions for DNAT morphix Linux - Security 3 11-05-2013 04:53 AM
iptables nat port forwarding rule set crowhurst01 Linux - Networking 2 02-13-2012 03:39 AM
Iptables rule for SMTP on NAT mblames Linux - Networking 4 02-15-2007 11:08 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration