Ask Your Question

iptables rule that excludes a particular ip?

asked 2015-02-18 18:31:39 -0500

Charlweed gravatar image

Currently, all my lan's traffic get filtered through dansguardian because I have the following as the last rule in iptables' nat PREROUTING chain:

--append PREROUTING  --protocol tcp --match tcp --dport   80 --jump REDIRECT --to-ports 8080

I have diagnosed that even when dansguardian is set to “Unrestricted”, the combination of squid and dansguardian breaks a critical application on host

All other traffic is fine, so I just want that one workstation NOT to be redirected. Im looking for the correct form for "all tcp port 80 traffic unless source is"

So can someone help me with the correct rule, or provide a rule to skip the rest of the chain if the source is a particular IP?


edit retag flag offensive close merge delete

3 Answers

Sort by » oldest newest most voted

answered 2015-02-18 23:05:44 -0500

idrodebush gravatar image

You should be able to use ! to specify the source you want to exclude. So maybe something like;

--append PREROUTING -s ! --protocol tcp --match tcp --dport 80 --jump REDIRECT --to-ports 8080

edit flag offensive delete link more

answered 2015-02-19 13:06:58 -0500

Charlweed gravatar image

Sleeping on the problem helped, and I think I figured out how to do it. To skip the last rule, which redirects web packects to my proxy, I inserted the following as the second-to-last rule:

--append PREROUTING --source --jump RETURN

as the man page says... RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.

edit flag offensive delete link more

answered 2015-02-18 23:13:55 -0500

sideburns gravatar image

This isn't really a Fedora question because iptables is a standard Linux/Unix program. You may have better luck checking out the online documentation or possibly a mailing list devoted to iptables. In theory, I should probably close this question because it's not exactly Fedora-specific but I'm not going to because it's an interesting question and somebody here might know just what you need.

edit flag offensive delete link more

Question Tools

1 follower


Asked: 2015-02-18 18:31:39 -0500

Seen: 1,995 times

Last updated: Feb 19 '15