On Tue, Dec 14, 2010 at 08:54, iic1tls <iic1tls@xxxxxxxxx> wrote: > I have attempted several iptables rules, including: > iptables -v -t nat -A PREROUTING --in-interface eth1 --dport 80 -d > www.website.com -j DNAT --to 149.10.10.25 When you hit enter to commit this rule the iptables command resolves www.website.com to an ip address, and then hands the request to add a rule to netfilter. The in-kernel rule will not change when website.com's IP changes, which may happen at any time. If clients get a different IP for website.com (say they have multiple IPs), their access will not be intercepted by the iptables rule. iptables does not filter on domain names. You must absolutely, and without exception, do something in addition to iptables, like intercept all DNS queries or force all web traffic through a proxy. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
