12

How do I use the [!] option for a destination IP?

I'm trying to redirect out-bound WAN DNS traffic to my sinkhole, but I can't get the --destination [!] option to work.

For example:

iptables -A OUTPUT -d ! 134.134.134.134 -j ACCEPT

returns:

Bad argument `134.134.134.134'

I haven't the slightest clue what is wrong with my syntax.

slm
  • 7,355
  • 16
  • 54
  • 72
user173360
  • 121
  • 1
  • 1
  • 3

2 Answers2

24

You have the ! in the wrong place. It belongs before -d.

From the iptables man page:

       [!] -d, --destination address[/mask][,...]

So for example:

iptables -A OUTPUT ! -d 134.134.134.134 -j ACCEPT
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • That's right, it maybe should be added that this sort of notation worked with earlier versions. At least they took the command without error. – John Dec 06 '17 at 02:15
  • @John AFAIK the version of iptables that accepted the other syntax is so old that it's not included in any current Linux distribution for many years now. – Michael Hampton Dec 06 '17 at 03:54
  • @MichaelHampton This would explain a bit, I'm using a book from 2008 so it appears that was my issue, thanks! This drove me nuts. I did however learn about linux events so it's not all bad. – John Von Neumann Aug 22 '18 at 04:56
2

try to put before --option

[root@pineapple ~]#  iptables -A OUTPUT -d! 134.134.134.134 -j ACCEPT
Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`).

[root@pineapple ~]# iptables -A OUTPUT ! -d 134.134.134.134 -j ACCEPT
[root@pineapple ~]# iptables -nvL | grep 134
78 92618 ACCEPT     all  --  *      *       0.0.0.0/0           !134.134.134.134
chocripple
  • 2,039
  • 14
  • 9