Athan wrote:
Besides the solution presented (with the error corrected), a more clean solution is to create a new chain, and then use the RETURN target in this chain for packets that are not to be DNAT'ed:I *think* your problem is that the NOTHING chain is empty, so at the end of it it just returns to the calling chain. Why not just simply -j ACCEPT on the rule in PREROUTING? That should stop it processing any further down the PREROUTING for packets with that destination.
iptables -t mangle -N DNAT_PROXY
iptables -t mangle -A DNAT_PROXY -d 192.168.0.0/24 -j RETURN
iptables -t mangle -A DNAT_PROXY -d x.x.0.0/16 -j RETURN
iptables -t mangle -A DNAT_PROXY -p tcp -j REDIRECT --to-ports 3128
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT_PROXY
This allows you to do other stuff on packets in PREROUTING, as you are not accepting packets that are not to be DNAT'ed.
Regards
Anders Fugmann
--
Author of FIAIF
FIAIF Is An Intelligent Firewall
http://fiaif.fugmann.dhs.org