more iptables help
bscott at ntisys.com
bscott at ntisys.com
Tue Jun 17 16:46:00 EDT 2003
On Tue, 17 Jun 2003, at 3:47pm, travis at scootz.net wrote:
> > 1. Anybody comin' thru interface eth1 gets sent to 1.2.3.4:80
> > 2. The person with the IP address 10.1.2.3 is allowed to get by that
> > redirect
IPTables chains are processed in order. Rules which match the packet in
question get their jump target (-j) executed. Some jump targets are
"terminating" targets, meaning they cause processing to stop on a match.
So, put your exceptions first, and your more general rules later.
iptables -t nat -A PREROUTING -s 10.1.2.3 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p TCP --dport 80 \
-j DNAT --to-dest 1.2.3.4:80
Caveat #1: I haven't tested the above.
Caveat #2: The first rule above assumes you're not doing anything with
port forwarding, etc., that would need something other than "ACCEPT" in the
PREROUTING chain.
Caveat #3: The second rule above only redirects traffic on TCP port 80,
since that is what I assume you want. All other traffic will be allowed to
the original destination. I dunno if that's what you want or not.
--
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind. |
More information about the gnhlug-discuss
mailing list