Hi, everyone. First, I'd like to thank Antony for putting my head back on straight.
The OUTPUT chain, as we should know (oopsie), is used to handle packets sourced from the Firewall system outbound to a network. What I wanted to do was change packets that were being routed by the firewall, not created by it, so I needed to be using the PREROUTING chain, on the nat table. I wanted to redirect an IP subnet to a single webserver with an acceptable use policy when a client on that subnet tried to access a "restricted" webserver, without stopping these clients from accessing acceptable servers. My method to do this is as follows: iptables -t nat -A PREROUTING -s restrictednet -d acceptedhost -p tcp --dport 80 -j RETURN ...repeat as needed... iptables -t nat -A PREROUTING -s restrictednet -p tcp --dport 80 -j DNAT --to-destination policyweb:80 I'm sure there are other ways to do this, however I've tested this method and it works rather well. Thanks for everyone's help. Cheers, Chris.
