How to use iptables and ipset for destination host redirect to another server?

Question

How to block access to the list of the sites and show a notification page?

This example blocking without a page, work correctly:

iptables -I FORWARD -m set --match-set site src,dst -j DROP

I try to use the next rule for hosts redirect to another server with a page:

iptables -I FORWARD -m set --match-set redirectsites src,dst -j DNAT --to-destination ipaddr

Could you explain, what is wrong on the rule above? Thank you for your answers.

score 1 · Answer 1 · answered Mar 01 '19 at 20:28

1

you are trying to use DNAT which is a target for the nat table in the filter table.

If you want to use the DNAT target, you will have to use iptables -t nat -I PREROUTING instead of iptables -I FORWARD.

answered Mar 01 '19 at 20:28

Andreas Rogge

You mean: iptables -t nat -I PREROUTING -m set --match-set redirectsites src,dst -j DNAT --to-destination ipaddr but it doesn't work – Kvartu Mar 02 '19 at 06:38
Is your DNAT-ed traffic allowed by rules in FORWARDING chain? – Tomek Mar 23 '19 at 11:49

1 Answers1