Re: Newbie question about having multiple destination addresses ina chain entry

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Athan wrote:

   I *think* your problem is that the NOTHING chain is empty, so at the
end of it it just returns to the calling chain.  Why not just simply -j
ACCEPT on the rule in PREROUTING?  That should stop it processing any
further down the PREROUTING for packets with that destination.
Besides the solution presented (with the error corrected), a more clean solution is to create a new chain, and then use the RETURN target in this chain for packets that are not to be DNAT'ed:

iptables -t mangle -N DNAT_PROXY
iptables -t mangle -A DNAT_PROXY -d 192.168.0.0/24 -j RETURN
iptables -t mangle -A DNAT_PROXY -d x.x.0.0/16 -j RETURN
iptables -t mangle -A DNAT_PROXY -p tcp -j REDIRECT --to-ports 3128
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT_PROXY

This allows you to do other stuff on packets in PREROUTING, as you are not accepting packets that are not to be DNAT'ed.

Regards
Anders Fugmann
--
Author of FIAIF
FIAIF Is An Intelligent Firewall
http://fiaif.fugmann.dhs.org


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux