Linux – IPTABLES PREROUTING all traffic in subnet tranparently to proxy, except for

firewalliptableslinux

I have a firewall between 192.168.255.0 and 172.16.255.0. Both /24. 192.168.255.0 get DNAT'd to a proxy server @ 172.16.255.5:8080. I want this to continue however I have a web server 172.16.255.50 that I want direct connection to for testing. I've tried this statement, but iptables keeps erroring when trying to add it

iptables -I PREROUTING -i eth1 -d \! 172.16.255.50 -p tcp --dport 80 -j DNAT --to-destination 172.16.255.5:8080

Thanks!!

Best Answer

There are 2 issues here

You left off -t nat, so its trying to add to the PREROUTING chain in the filter table, which doesn't exist.
The 'not' (!) has to go before the -d.

Working solution:

iptables -t nat -I PREROUTING -i eth1 \! -d 172.16.255.50 -p tcp --dport 80 -j DNAT --to-destination 172.16.255.5:8080

Alternatively, another way of doing things like this is to put a rule in before that one which matches the exception traffic and does nothing with it. Iptables stops once it hits the first matching rule, so it never gets to the later rule.

iptables -t nat -A PREROUTING -i eth1 -d 172.16.255.50 -p tcp --dport 80
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 172.16.255.5:8080

Best Answer

Related Solutions

Linux – Forward HTTP Traffic to Another IP Address with iptables

Iptables string

Related Topic