[ILUG] really being specific with iptables.

[Darragh]

Thanks for your response.

On Wed, January 9, 2008 9:00 am, Pawel Bogucki wrote:

> forward only internal addresses to squid excluding request with server
> address
>
> iptables -A PREROUTING -t nat -p tcp -i $INTERNAL_INTERFACE -d
> !$SERVER_ADDRESS --dport 80 -j DNAT --to-destination
> $SERVER_ADDRESS:3028
>
> something like that
>
>
> --
> Pawel Bogucki

I read the iptables man page today again.  It's a very good document I
have to say but there are a few things that are not clear.  For a start,
--src-range does not seem to be recognised by iptables. it says invalid
arguement.

Here is a rule that I've created to only allow one ip to access the server
from port 80.   I'd rather let all public IP's access it but the src range
didn't work and neither did source !xxxx so for testing I decided to give
this a try.

Here are the commands I've tried to use with no success.  I still don't
seem to get access.

tcpdump -nn port 80 does show that a connection is definitly reaching the
server though.

iptables -A PREROUTING -t nat -p tcp -s !192.168.2.0/24 -dport 80 -j
REDIRECT --to-ports 80


I also tried a variation first as follows:

iptables -A PREROUTING -t nat -p tcp -s xxx.xxx.xxx.xxx -dport 80 -j
REDIRECT --to-ports 80

obviously the x's can be replaced by the actual IP.

finally I also tried --src-range as follows:
iptables -A PREROUTING -t nat -p tcp --source-range
192.168.2.0-192.168.2.254 -dport 80 -j
REDIRECT --to-ports 80


the second command does not return an error at the command line however
the first and the third are not excepted at all.  Interestingly, when I
use -s !192.168.2.0/24 I get a very strange error about trying to cat
squid.conf  when I press up arrow when trying to reenter the command I see
that it's actually putting in a command at the start of the IP address
that I typed days ago.
I've a feeling it's some kind of very strange bug.

Can anyone indicate where I'm going wrong with these commands?