On Sun, March 11, 2018 7:09 am, Leon Fauster wrote: > Am 11.03.2018 um 11:53 schrieb Nicolas Kovacs <info at microlinux.fr>: >> >> I've experimented some more, and I have a partial success. Here, I'm >> redirecting all HTTPS traffic *except* the one that goes to my bank: >> >> iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d >> www.credit-cooperatif.coop --dport 443 -j REDIRECT --to-port 3129 >> >> This works because my bank is hosted on a single IP. As soon as I >> replace that with a domain that's hosted on multiple IP's, I get this: >> >> iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d www.google.com >> --dport 443 -j REDIRECT --to-port 3129 > > > May I ask, after all it doesn't work with google.com, right? > I would also like to add: it is a bad practice IMHO to give preference to some particular search engine, unless it is single user personal machine. Many people prefer different search engines (duckduckgo.com just to mention one), some specifically avoid google. Valeri > > >> # firewall.sh >> iptables v1.4.21: ! not allowed with multiple source or destination IP >> addresses >> >> So my question is: how can I write an iptables rule (or series of rules) >> that redirect all traffic to my proxy, *except* the one going to >> <list_of_domains> ? > > > It is not a good practice to place domain names into iptables rules. > Define > a custom table, place this table into your rule list (to stick at the > right > place) and feed that table with the resolved domain names. This can be > altered > while running in the case of changes (check resolving results > periodically). > > > -- > LF > > > > > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++