Answer to DNAT / OUTPUT chain question.
Tue, 11 Jun 2002 08:10:45 -0400
First, I'd like to thank Antony for putting my head back on straight.
The OUTPUT chain, as we should know (oopsie), is used to handle packets
sourced from the Firewall system outbound to a network. What I wanted to do
was change packets that were being routed by the firewall, not created by
it, so I needed to be using the PREROUTING chain, on the nat table.
I wanted to redirect an IP subnet to a single webserver with an acceptable
use policy when a client on that subnet tried to access a "restricted"
webserver, without stopping these clients from accessing acceptable servers.
My method to do this is as follows:
iptables -t nat -A PREROUTING -s restrictednet -d acceptedhost -p tcp
--dport 80 -j RETURN
...repeat as needed...
iptables -t nat -A PREROUTING -s restrictednet -p tcp --dport 80 -j DNAT
I'm sure there are other ways to do this, however I've tested this method
and it works rather well.
Thanks for everyone's help.