[ILUG] really being specific with iptables.

Pawel Bogucki pawel.bogucki at gmail.com
Thu Jan 10 09:31:49 GMT 2008 

On Jan 9, 2008 8:24 PM, Darragh <lists at digitaldarragh.com> wrote:
> Thanks for your response.
>
> On Wed, January 9, 2008 9:00 am, Pawel Bogucki wrote:
>
> > forward only internal addresses to squid excluding request with server
> > address
> >
> > iptables -A PREROUTING -t nat -p tcp -i $INTERNAL_INTERFACE -d
> > !$SERVER_ADDRESS --dport 80 -j DNAT --to-destination
> > $SERVER_ADDRESS:3028
> >
> > something like that
> >
> >
> > --
> > Pawel Bogucki
>
> I read the iptables man page today again.  It's a very good document I
> have to say but there are a few things that are not clear.  For a start,
> --src-range does not seem to be recognised by iptables. it says invalid
> arguement.
>
> Here is a rule that I've created to only allow one ip to access the server
> from port 80.   I'd rather let all public IP's access it but the src range
> didn't work and neither did source !xxxx so for testing I decided to give
> this a try.
>
> Here are the commands I've tried to use with no success.  I still don't
> seem to get access.
>
> tcpdump -nn port 80 does show that a connection is definitly reaching the
> server though.
>
> iptables -A PREROUTING -t nat -p tcp -s !192.168.2.0/24 -dport 80 -j
> REDIRECT --to-ports 80
>
> I also tried a variation first as follows:
>
> iptables -A PREROUTING -t nat -p tcp -s xxx.xxx.xxx.xxx -dport 80 -j
> REDIRECT --to-ports 80
> obviously the x's can be replaced by the actual IP.
>
> finally I also tried --src-range as follows:
> iptables -A PREROUTING -t nat -p tcp --source-range
> 192.168.2.0-192.168.2.254 -dport 80 -j
> REDIRECT --to-ports 80
>
> the second command does not return an error at the command line however
> the first and the third are not excepted at all.  Interestingly, when I
> use -s !192.168.2.0/24 I get a very strange error about trying to cat
> squid.conf  when I press up arrow when trying to reenter the command I see
> that it's actually putting in a command at the start of the IP address
> that I typed days ago.
> I've a feeling it's some kind of very strange bug.
>
> Can anyone indicate where I'm going wrong with these commands?
>
  $IPT -t nat -A PREROUTING  -i $INTIF -p tcp -s $i -j DNAT --to
$INTIP:3128 --dport 80 -d ! 192.168.16.10

this is the exact line i was using in my previous work
so the problem seems to be that i missed a space between ! and
$SERVER_ADDRESS in my previous post

here are variables

#path to iptables
IPT='/sbin/iptables'
#internal interface
INTIF='eth0'
#internal address of the server
INTIP='192.168.16.10'

'i' was read from the file which contained allowed IP addresses and
the command was done in a loop.
i think you can use your network in here 192.168.2.0/24



-- 
Pawel Bogucki
Skype: pbogu_
JabberID: pawel.bogucki at gmail.com
GSM: +353 85 8184879

More information about the ILUG mailing list