On Wednesday 12 November 2003 11:05 pm, bmcdowell@xxxxxxxxxxxxxxxxxx wrote: > Is there no reason to be wary of the 'ACCEPT' statement? I did read this > in the tutorial (I think), but isn't ACCEPT a terminating action? Yes, in the sense that a packet matching this rule will not pass through any further rules, but what's the problem with that? The only thing the PREROUTING nat table can do is DNAT. So, either you want to DNAT a packet from 10.22.1.1, or you don't. If you do want to DNAT it, put that as the target of the first rule. If you don't want to DNAT it, use ACCEPT as the target of the first rule. Nothing else is possible. Antony. > -----Original Message----- > From: netfilter-admin@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Antony Stone > Sent: Wednesday, November 12, 2003 4:47 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: Range of IP's with Exclusions > > On Wednesday 12 November 2003 10:31 pm, bmcdowell@xxxxxxxxxxxxxxxxxx wrote: > > iptables -t NAT -A PREROUTING -d 10.22.1.3 -j DNAT --to 10.22.2.2 > > iptables -t NAT -A PREROUTING -d 10.22.1.4 -j DNAT --to 10.22.2.2 > > iptables -t NAT -A PREROUTING -d 10.22.1.5 -j DNAT --to 10.22.2.2 > > iptables -t NAT -A PREROUTING -d 10.22.1.6 -j DNAT --to 10.22.2.2 > > (etc.) > > > > ...but that is a bit of a pain. > > > > I keep trying to type in something like: > > > > iptables -t NAT -A PREROUTING -d 10.22.1.0/24,! 10.22.1.1 -j DNAT > > --to 10.22.2.2 > > > > ...but iptables complains. > > Try these two rules, in this order: > > iptables -t NAT -A PREROUTING -d 10.22.1.1 -j ACCEPT > iptables -t NAT -A PREROUTING -d 10.22.1.0/24 -j DNAT --to 10.22.2.2 > > The first will match the address you don't want to DNAT, and only other > addresses will match the second rule. > > Antony. -- The idea that Bill Gates appeared like a knight in shining armour to lead all customers out of a mire of technological chaos neatly ignores the fact that it was he who, by peddling second-rate technology, led them into it in the first place. - Douglas Adams in The Guardian, August 25, 1995 Please reply to the list; please don't CC me.
