I need help to exclude a single Ip address from a prerouting rule on all ports. Anybody who connects to my access point, gets redirected to my Captive Portal(Landing Page). Therefore I want to make a new rule, I don't want my existing prerouting rule to be modified/deleted.
The prerouting rule I already made, routs incoming ports, except port 22(SSH) to the captive portal. Therefore I use this rule:
sudo iptables -t nat -A PREROUTING -p tcp --match multiport ! --dport 22 ! -s 192.168.42.19 -j DNAT --to-destination 192.168.42.1:8080
What I want is to make an exclusion for specific users, therefore I want to stop certain ip addresses from being forwarded. I tried different things, but I can't get anything to work. I tried different INPUT and OUTPUT rules, but no luck. I think I should do something with PREROUTING, but how?
If you're just trying to prevent some traffic from hitting a specific rule, you could put a RETURN or ACCEPT rule for that traffic before the rule you're trying to avoid.
For example, you could change your current rule to three rules:
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.42.19 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -j DNAT --to-destination 192.168.42.1:8080
Note the difference between ACCEPT and RETURN (from iptables(8) man page):
ACCEPT means to let the packet through.
RETURN means stop traversing this chain and resume at
the next rule in the previous (calling) chain.
Using this approach, you could leave your current rule alone and preceded it with an arbitrary number of rules that describe the different types of traffic that you don't want to hit your NAT rule.
Looking at iptables counters is a good way to tell whether your traffic is hitting the rules that you expect (e.g. iptables -t nat -L PREROUTING -vn
).