English
Ask Your Question
0

iptables rule that excludes a particular ip?

asked 2015-02-19 00:31:39 +0000

Charlweed gravatar image

Currently, all my lan's traffic get filtered through dansguardian because I have the following as the last rule in iptables' nat PREROUTING chain:

--append PREROUTING  --protocol tcp --match tcp --dport   80 --jump REDIRECT --to-ports 8080

I have diagnosed that even when dansguardian is set to “Unrestricted”, the combination of squid and dansguardian breaks a critical application on host 192.168.0.8.

All other traffic is fine, so I just want that one workstation NOT to be redirected. Im looking for the correct form for "all tcp port 80 traffic unless source is 192.168.0.8"

So can someone help me with the correct rule, or provide a rule to skip the rest of the chain if the source is a particular IP?

Thanks!

edit retag flag offensive close merge delete

3 answers

Sort by » oldest newest most voted
0

answered 2015-02-19 19:06:58 +0000

Charlweed gravatar image

Sleeping on the problem helped, and I think I figured out how to do it. To skip the last rule, which redirects web packects to my proxy, I inserted the following as the second-to-last rule:

--append PREROUTING --source 192.168.0.8 --jump RETURN

as the man page says... RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.

edit flag offensive delete link more
0

answered 2015-02-19 05:05:44 +0000

idrodebush gravatar image

You should be able to use ! to specify the source you want to exclude. So maybe something like;

--append PREROUTING -s ! 192.168.0.8 --protocol tcp --match tcp --dport 80 --jump REDIRECT --to-ports 8080

edit flag offensive delete link more
0

answered 2015-02-19 05:13:55 +0000

sideburns gravatar image

This isn't really a Fedora question because iptables is a standard Linux/Unix program. You may have better luck checking out the online documentation or possibly a mailing list devoted to iptables. In theory, I should probably close this question because it's not exactly Fedora-specific but I'm not going to because it's an interesting question and somebody here might know just what you need.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Use your votes!

  • Use the 30 daily voting points that you get!
  • Up-vote well framed questions that provide enough information to enable people provide answers.
  • Thank your helpers by up-voting their comments and answers. If a question you asked has been answered, accept the best answer by clicking on the checkbox on the left side of the answer.
  • Down-voting might cost you karma, but you should consider doing so for incorrect or clearly detrimental questions and answers.

Question Tools

Follow
1 follower

subscribe to rss feed

Stats

Asked: 2015-02-19 00:31:39 +0000

Seen: 1,665 times

Last updated: Feb 19 '15

Related questions

basic NAT/masquerading setup

port forwarding with kernel 3.3.0 not working

Netfilter queue and firewalld

add IP to firewall

How I block internet access for a concrete program?

firewalld dropping new connections in Default zone when using NAT?

iptables TRACE and journalctl

Failed to start IPv4 firewall with iptables

FirewallD vs iptables

Network Forwarding from a subnet

Ask Fedora is community maintained and Red Hat or Fedora Project is not responsible for content. Content on this site is licensed under a CC-BY-SA 3.0 license.
about | faq | help | privacy policy | give feedback
Powered by Askbot version 0.7.51