I am tryng to redirect all web traffic to a computer using:
iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 1000
It works but I would like to add a rule in order to not redirect the traffic for a specific destination ip (ex: facebook.com)
Could not find on google. Thank in advance !
I note that the example destination IP you give is not, in fact, an IP address (which is what iptables deals in) but a fully-qualified domain name. However, let's assume you really had quoted an IP address, and let's assume it was 198.51.100.1 (in line with our advice on example IP addresses).
With only one address to exempt, you can add it to the rule as an explicit exemption:
iptables -t nat -A PREROUTING -p tcp --dport 80 \! -d 198.51.100.1 -j REDIRECT --to-port 1000
Note the use of the backslash to protect the negation (!) from the shell. If you had more addresses to exempt, it's simpler to write explicit rules that match those addresses and finish processing with a harmless dispositive target, then leave a catch-all rule at the end to deal with everything else:
iptables -t nat -A PREROUTING -p tcp --dport 80 -d 192.0.2.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -d 198.51.100.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -d 203.0.113.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 1000
Note that, as ever, order is important in iptables rules. Where these come in your chain is important, and you need to have a care to get it right.
Edit: you ask what will happen to packets that match the rules with ACCEPT targets, ie the exempted packets. Once they match ACCEPT, they will fall out of the PREROUTING nat chain, and no further processing will happen to them in that chain. Their eventual fate will be determined by rules and policies in the other chains they will then pass through.
