iptables port forward prerouting - how to exclude local LAN?

iptables

Solution 1:

If you intend to exclude 192.168.1.8 from the DNAT rule, you shall use 192.168.0.0/23 or 192.168.1.0/24 as the ! -s parameter. The network range 192.168.0.0/24 finishes at 192.168.0.255.

$ ipcalc 192.168.0.0/24
Address:   192.168.0.0          11000000.10101000.00000000. 00000000
Netmask:   255.255.255.0 = 24   11111111.11111111.11111111. 00000000
Wildcard:  0.0.0.255            00000000.00000000.00000000. 11111111
=>
Network:   192.168.0.0/24       11000000.10101000.00000000. 00000000
HostMin:   192.168.0.1          11000000.10101000.00000000. 00000001
HostMax:   192.168.0.254        11000000.10101000.00000000. 11111110
Broadcast: 192.168.0.255        11000000.10101000.00000000. 11111111
Hosts/Net: 254

You may restrict the DNAT rule by interfaces instead of using addresses. For example:

iptables -t nat -A PREROUTING '!' -i eth0 -p tcp --dport 8088 \
    -j DNAT --to-destination 192.168.1.6:8088

Or:

iptables -t nat -A PREROUTING -i ${your_wan_interface} -p tcp --dport 8088 \
    -j DNAT --to-destination 192.168.1.6:8088

Using the RETURN target is also a possible choice:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8088 -j RETURN

Related

'gcc' failed with exit status 1 - MySQL-python-1.2.3
SSL certificate for CNAME redirected domain
How to maximize the drop odds of the Essences in Diablo II?
What do status effects do against Behemoths?
What happened to Kratos’ wings after God of War III?
How does the Warhorse compares with other horses in Red Dead Redemption?
Changing my geometry dash username once it has already been changed once
Why can't Mephisto drop super rare unique items?
Quick way of selling at the trading post?
Ps3 controller issue
Ran into an issue involving lava [closed]
How to get an Iron Golem Spawner in 1.13