iptables: punching holes for eth0:0
gb spam
gbofspam at gmail.com
Wed May 11 23:34:44 UTC 2005
On 5/11/05, Ashley M. Kirchner <ashley at pcraft.com> wrote:
>
> I need to punch a hole through iptables for an upload application
> that's going to sit on an internal machine. Most of what I've seen on
> the net are rules where only the destination IP is defined. Not quite
> what I want to happen. Here's what I want to do:
>
> The firewall machine has a public IP on eth0. I'm going to add
> another on eth0:0 (in the future I'll continue adding to eth0:1, eth0:2,
> etc., etc.) and I would like requests coming in on that new address to
> route through the firewall to connect to the internal machine (which has
> a private IP.)
>
> Must rules I find look like this (this example is for pcAnywhere):
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5631 -j DNAT --to-destination $PCANY
> iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5632 -j DNAT --to-destination $PCANY
>
> iptables -t filter -A FORWARD -i eth0 -o eth1 -p tcp -m state --dport 5631 --syn --state NEW -j ACCEPT
> iptables -t filter -A FORWARD -i eth0 -o eth1 -p udp --dport 5632 -j ACCEPT
> iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> But that assumes the request comes in on the primary (eth0)
> address. How can I tell it to listen on the eth0:0 address/interface?
If you're trying to DNAT anything sent to eth0:1 to another host, then
you can the address of eth0:1 as a qualifier. e.g.
iptables --append PREROUTING --table nat --destination <ip-of-eth0:1>
-p tcp --dport 5631 -j DNAT --to-destination $PCANY
More information about the users
mailing list