[ILUG] really being specific with iptables.

Francis Daly francisdaly at gmail.com
Thu Jan 10 01:14:03 GMT 2008 

On 09/01/2008, Darragh <lists at digitaldarragh.com> wrote:

Hi there,

I don't know the full fix, and don't have an easy way of testing one,
but I can answer some of your specific questions about command syntax.

> I read the iptables man page today again.  It's a very good document I
> have to say but there are a few things that are not clear.  For a start,
> --src-range does not seem to be recognised by iptables. it says invalid
> arguement.

Before you can use --src-range, you have to include "-m iprange".

> iptables -A PREROUTING -t nat -p tcp -s !192.168.2.0/24 -dport 80 -j
> REDIRECT --to-ports 80
>
> I also tried a variation first as follows:
>
> iptables -A PREROUTING -t nat -p tcp -s xxx.xxx.xxx.xxx -dport 80 -j
> REDIRECT --to-ports 80
> obviously the x's can be replaced by the actual IP.
>
> finally I also tried --src-range as follows:
> iptables -A PREROUTING -t nat -p tcp --source-range
> 192.168.2.0-192.168.2.254 -dport 80 -j
> REDIRECT --to-ports 80

A few things there: you need "-m iprange", for example just after "-p
tcp"; it's --src-range not --source-range; and it's --dport, not
-dport. (Once you've the first fixed, the others become obvious.)

> the second command does not return an error at the command line however
> the first and the third are not excepted at all.  Interestingly, when I
> use -s !192.168.2.0/24 I get a very strange error about trying to cat
> squid.conf  when I press up arrow when trying to reenter the command I see
> that it's actually putting in a command at the start of the IP address
> that I typed days ago.
> I've a feeling it's some kind of very strange bug.

As already described, '!' is magic to bash. You have to quote it or,
probably better for this application, separate it from the following
argument.

> Can anyone indicate where I'm going wrong with these commands?

Hope this helps. Obviously, you want "anything going from this server
to port 80 should be allowed; anything coming to this_server port 80
should be allowed; anything else going to port 80 should be sent to
this_server:3128", but I'm not sure how to spell that in iptables.

When you do get it right, please prod the HOWTO writers to save the
next man the heartache.

Good luck,

        f

More information about the ILUG mailing list