iptables Qu: how to specify !dst:port

iptables Qu: how to specify !dst:port

[Die Optimisten]

Hallo!

I want to DNAT all incoming 0/0:443, except those to localhost:443
        to my proxy localhost:8000
What is the best line to achive that?

-d 0/0:443  -and ! -d 127.0.0.0
# seems -and does not exist...

THANKS,
Andrew

Please be so kind, and also answer to me per email, I#m not in the
mailinglist

Re: iptables Qu: how to specify !dst:port

[Arturo Borrero Gonzalez]

2013/7/12 Die Optimisten <inform@die-optimisten.net>:
> Hallo!
>
> I want to DNAT all incoming 0/0:443, except those to localhost:443
>         to my proxy localhost:8000
> What is the best line to achive that?
>
> -d 0/0:443  -and ! -d 127.0.0.0
> # seems -and does not exist...
>
> THANKS,
> Andrew
>
> Please be so kind, and also answer to me per email, I#m not in the
> mailinglist
>

I would try this:

iptables -t nat -A PREROUTING ! -d 127.0.0.1 -p tcp --dport 443 -j
DNAT --to-destination 127.0.0.1:8000

Regards.
--
Arturo Borrero González

Re: iptables Qu: how to specify !dst:port

[Die Optimisten]

Hi!
Thanks for your fast answer!!

How can I write -t nat
    [all except these 2:]    (! -d 127.0.0.1 -and  ! -d  192.168.0.0/16)  ?

Can I generally generate (kernel-hanging) loops with -nat , or is this
recognized/inhibited ?

Please also To:/Cc:inform@die-optimisten.net !
thanks
Andrew

On 2013-07-12 14:10, Arturo Borrero Gonzalez wrote:
> 2013/7/12 Die Optimisten <inform@die-optimisten.net>:
>   
>> Hallo!
>>
>> I want to DNAT all incoming 0/0:443, except those to localhost:443
>>         to my proxy localhost:8000
>> What is the best line to achive that?
>>
>> -d 0/0:443  -and ! -d 127.0.0.0
>> # seems -and does not exist...
>>
>> THANKS,
>> Andrew
>>
>> Please be so kind, and also answer to me per email, I#m not in the
>> mailinglist
>>
>>     
> I would try this:
>
> iptables -t nat -A PREROUTING ! -d 127.0.0.1 -p tcp --dport 443 -j
> DNAT --to-destination 127.0.0.1:8000
>
> Regards.
> --
> Arturo Borrero González
>   

Re: iptables Qu: how to specify !dst:port

[Arturo Borrero Gonzalez]

2013/7/12 Die Optimisten <inform@die-optimisten.net>:
> Hi!
> Thanks for your fast answer!!
>
> How can I write -t nat
>     [all except these 2:]    (! -d 127.0.0.1 -and  ! -d  192.168.0.0/16)  ?
>

I would do it with ipset(8).

--
Arturo Borrero González

Re: iptables Qu: how to specify !dst:port

[Pascal Hambourg]

Hello,

Arturo Borrero Gonzalez a écrit :
> 2013/7/12 Die Optimisten <inform@die-optimisten.net>:
>>
>> How can I write -t nat
>>     [all except these 2:]    (! -d 127.0.0.1 -and  ! -d  192.168.0.0/16)  ?
> 
> I would do it with ipset(8).

ipset is overkill for just a couple of prefixes.

iptables -t nat -A PREROUTING -d 192.168.0.0/16 -p tcp --dport 443 \
  -j RETURN
iptables -t nat -A PREROUTING ! -d 127.0.0.1 -p tcp --dport 443 \
  -j DNAT --to 127.0.0.1:8000

Re: iptables Qu: how to specify !dst:port

[Die Optimisten]

On 2013-07-12 14:50, Arturo Borrero Gonzalez wrote:
> 2013/7/12 Die Optimisten <inform@die-optimisten.net>:
>   
>> Hi!
>> Thanks for your fast answer!!
>>
>> How can I write -t nat
>>     [all except these 2:]    (! -d 127.0.0.1 -and  ! -d  192.168.0.0/16)  ?
>>
>>     
> I would do it with ipset(8).
>
> --
> Arturo Borrero González
>   
Hello
Aha, seems it is not possible with iptables (alone)?
- Is it also possible to check against 1000 IPs with ipset  (performance) ?
How to check against 1000 MACs (no mactables?!, only aprtables)

  Another question (yes, I know this is a iptables-list, but perhaps
interesting to all):
I've heard it is possible to have a tunnel, which doesn't disconnect the
inside running (tcp-) sessions, if connection is lost.
How can this be done?
Is there a max (inner) timeout, within that you have to reconnect the
outer tunnel? How can the timeout be changed?
Or is there a possibility to reopen the tunnel next day without breaking
the inner connections?That would be fine!
Sg. existing already?
Idea: a tool that "simulates" the other end and takes over the
connection, when other side doesn't respond (just ACKs, without data?)


Please also reply to me directly  inform@die-optimisten DOT net

thanks again!
Andrew