I tried what you suggested (Changing the destination to a different box) and it still does it to all the requests. The goal of the firewall setting is to allow access only to a few specific sites (in the case of the example provided amazon.com should be the only URL the users can get to) and all other sites should go to an internal webserver to tell them that they can't get to the site they're trying to go to. Does this make sense? Is there any way to do the DNAT only when it's not on the access list? (It's actually more like 100 sites I want the users to have access to, I narrowed down the script a bit for the example). Any ideas? This one has been killing me for awhile... I know it's possible because I've seen networks that behave like this. Help me out with this and you'll be my hero! -David Talbot -----Original Message----- From: lartc-admin@xxxxxxxxxxxxxxx [mailto:lartc-admin@xxxxxxxxxxxxxxx]On Behalf Of Adrian Chung Sent: Tuesday, June 05, 2001 9:56 AM To: David Talbot Cc: lartc@xxxxxxxxxxxxxxx Subject: Re: [LARTC] Redirecting wayward traffic On Tue, Jun 05, 2001 at 08:09:41AM -0500, David Talbot wrote: > #THIS IS THE PROBLEM LINE > iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1 > #THIS IS THE PROBLEM LINE I tried this on my 2.4.5 box, and it works just fine -- as long as the --to <address> isn't the same box I'm attempting to connect from. IOW, as long as the webserver isn't on the same box I'm attempting to browse outside the firewall with. When I tried to DNAT to the same box I was running lynx on, I just got a timeout. When I switched to DNAT to a different box, all requests went there properly. -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [rogue.enfusion-group.com] up 28 days, 22:07, 2 users _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/
