LinuxQuestions.org

LinuxQuestions.org (http://www.linuxquestions.org/questions/index.php)
-   Linux - Security (http://www.linuxquestions.org/questions/forumdisplay.php?f=4)
-   -   iptables nat exceptions (http://www.linuxquestions.org/questions/showthread.php?t=4175449820)

pestka 02-12-2013 08:53 AM

iptables nat exceptions
 
Hello guys,

I've been struggling with iptables to use it as a proxy. Here's what I want to achieve:

me -----> proxyserv:9000 -------> proxy2:7070
me -----> proxyserv:9001 -------> proxy2:7070

I thought instead overloading my system (proxyserv) with squid I'll adjust iptables. This is what I've done so far:

Code:

iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 9000 -s -j DNAT --to-destination proxy2:7070

Now thing is that I have to add 2 exceptions. They have to be added so that when I go to websites I go through proxy2:7070 and I would not go through the proxy if I wanted to reach these exceptional destinations. I tried the following:

Code:

iptables -t nat -A PREROUTING -p tcp --dport 9000 -d ! IP_OF_THE_EXCEPTION -j DNAT --to-destination proxy2:7070
but it does not help. Proxy is redirecting everything to proxy 2 including the -d ! IP_OF_THE_EXCEPTION.

Why is that? Is there any way to redirect it as I like?

P.

acid_kewpie 02-12-2013 08:58 AM

just put an ACCEPT rule for that IP above that one. Whilst you don't think of the POSTROUTING table as a firewall list in the same way, it does still ultimately have a default ACCEPT policy on it etc.

pestka 02-12-2013 09:28 AM

Hello Chris,

Thanks for your answer. I still learn iptables, could you please tell me what rule should I put where? I mean exact command would be splendid.

acid_kewpie 02-12-2013 09:56 AM

iptables -t nat -A PREROUTING -p tcp --dport 9000 -d IP_OF_THE_EXCEPTION -j ACCEPT

before the DNAT entry

pestka 02-12-2013 03:01 PM

Hi there,

I tried that as well as some "mutations" it did not work nonetheless.
I tried to redirect all traffic to google apart of 4 destinations (in fact it's just one but the hostname changes its ip and so I had to add all of them).

Here's the code, maybe I'm missing something?

Code:

iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 9000 -d EXCEPTION_IP_1 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 9000 -d EXCEPTION_IP_2 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 9000 -d EXCEPTION_IP_3 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 9000 -d EXCEPTION_IP_4 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 9000 -j DNAT --to-destination 173.194.35.78:80

Where's the glitch?


All times are GMT -5. The time now is 03:13 AM.