Thanks Leonardo. It works fine, and its some different than OBSD PF :-) Leonardo Rodrigues Magalhães пишет: > > > Aleksei Bebinov escreveu: >> I do so : >> --------------- >> cat /etc/config/kg-nets | while read LINE >> do >> #iptables -t nat -A PREROUTING -i br-lan -d ! $LINE -p tcp -m >> multiport --dports 80 -j DNAT --to-destination pr.oxy.ip:3128 >> >> done >> -------------------------------------------- >> >> My script cat the file line by line and add excluding rules ( with ! ) >> of nets that i dont need to redirect. >> BUT! >> if only one rule ( for one subnet) persist in table - it works fine, and >> if i ll add second - with second net - all the traffic redirecting to >> proxy - without any exclusions. >> >> > > wrong rule for your needs. Maybe: > > for LINE in `cat /etc/config/kg-nets`; do > iptables -t nat -A PREROUTING -i br-lan -d $LINE -p tcp --dport 80 > -j ACCEPT > done > iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DNAT > --to-destination pr.oxy.ip:3128 > > will do it. > > if someone asks me ONE single tip for making iptables easier, i > would say "do NOT use negation rules, those with !" ..... they work > just fine, but people rarely understands that it wont allow multiple > exclusions and will keep fighting with that. Anyway, anything done > with negation rules can be written in other single (and easier to > understood) rules. > > > > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
