On Thursday 04 December 2008 04:21, Indunil Jayasooriya wrote: > Hi, > > I know these are a few iptbales questions. NOT CentOS, anyway, I am > running a firewall on centos 5.x. > > If you can response, it would be fine. > > > I want to add a SNAT rule for one user in LAN to access one particular > destination on the internet. > > Let's say www.centos.org > > I added the below rule. But . it does NOT work > Pls assume 1.2.3.4 is the real ip of the firewall. > ip address 192.168.101.230 is the client PC > > iptables -t nat -A POSTROUTING -o eth0 -s 192.168.101.230 -j SNAT > --to-source 1.2.3.4 -d www.centos.org > > Any idea to achieve it? > > And Also, > > the below rule excludes 1 ip. it works fine. > > iptables -t nat -A PREROUTING -p tcp -m multiport -s ! 192.168.1.9 > --destination-port 80,465,995 -j DNAT --to-destination :3128 > > I want to exclude about 4 or 5 ips. > > let's say 192.168.1.11, 192.168.1.19, 192.168.1.20,192.168.1.25 > > Is there a way to do it? > > Hope to hear from you. I take it the firewall has 2 interfaces WAN and LAN. Without knowing how you have things setup now you could simple add the following: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -i <LAN> -s 192.168.1.11 -j DROP iptables -i <LAN> -s 192.168.1.19 -j DROP iptables -i <LAN> -s 192.168.1.25 -j DROP Should any of these ip's need access to the firewall then you nedd to place those rules before these. -- Regards Robert It is not just an adventure. It is my job!! Linux User #296285 http://counter.li.org