iptables: punching holes for eth0:0
Ashley M. Kirchner
ashley at pcraft.com
Wed May 11 19:34:49 UTC 2005
I need to punch a hole through iptables for an upload application
that's going to sit on an internal machine. Most of what I've seen on
the net are rules where only the destination IP is defined. Not quite
what I want to happen. Here's what I want to do:
The firewall machine has a public IP on eth0. I'm going to add
another on eth0:0 (in the future I'll continue adding to eth0:1, eth0:2,
etc., etc.) and I would like requests coming in on that new address to
route through the firewall to connect to the internal machine (which has
a private IP.)
Must rules I find look like this (this example is for pcAnywhere):
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5631 -j DNAT --to-destination $PCANY
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5632 -j DNAT --to-destination $PCANY
iptables -t filter -A FORWARD -i eth0 -o eth1 -p tcp -m state --dport 5631 --syn --state NEW -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth1 -p udp --dport 5632 -j ACCEPT
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
But that assumes the request comes in on the primary (eth0)
address. How can I tell it to listen on the eth0:0 address/interface?
--
W | I haven't lost my mind; it's backed up on tape somewhere.
+--------------------------------------------------------------------
Ashley M. Kirchner <mailto:ashley at pcraft.com> . 303.442.6410 x130
IT Director / SysAdmin / Websmith . 800.441.3873 x130
Photo Craft Laboratories, Inc. . 3550 Arapahoe Ave. #6
http://www.pcraft.com ..... . . . Boulder, CO 80303, U.S.A.
More information about the users
mailing list