iptables prerouting with match-set

lhovo asked:

I’m trying to create a iptables entry to redirect a list of ip’s to another port.

Using ipset I can setup and add lists of ip’s and reject them with this command

iptables -t nat -A INPUT -p tcp -m tcp -m set -j REJECT --reject-with icmp-port-unreachable  --match-set myipsetlist src

I have also found this command to route ports to work

-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

My question is there anyway to combine the two?

Preroute 80 to 8080 if ip in ipset?

If not with iptables, is there another way I could do this?

My answer:

Of course you can do that. Try adding the obvious:

-m set --match-set myipsetlist src

to your rule, which will then become:

-A PREROUTING -p tcp -m tcp --dport 80 -m set --match-set myipsetlist src -j REDIRECT --to-ports 8080

