Am 11.03.2018 um 11:53 schrieb Nicolas Kovacs <info at microlinux.fr>: > > I've experimented some more, and I have a partial success. Here, I'm > redirecting all HTTPS traffic *except* the one that goes to my bank: > > iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d > www.credit-cooperatif.coop --dport 443 -j REDIRECT --to-port 3129 > > This works because my bank is hosted on a single IP. As soon as I > replace that with a domain that's hosted on multiple IP's, I get this: > > iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d www.google.com > --dport 443 -j REDIRECT --to-port 3129 May I ask, after all it doesn't work with google.com, right? > # firewall.sh > iptables v1.4.21: ! not allowed with multiple source or destination IP > addresses > > So my question is: how can I write an iptables rule (or series of rules) > that redirect all traffic to my proxy, *except* the one going to > <list_of_domains> ? It is not a good practice to place domain names into iptables rules. Define a custom table, place this table into your rule list (to stick at the right place) and feed that table with the resolved domain names. This can be altered while running in the case of changes (check resolving results periodically). -- LF