On 5/11/05, Ashley M. Kirchner <ashley@xxxxxxxxxx> wrote: > > I need to punch a hole through iptables for an upload application > that's going to sit on an internal machine. Most of what I've seen on > the net are rules where only the destination IP is defined. Not quite > what I want to happen. Here's what I want to do: > > The firewall machine has a public IP on eth0. I'm going to add > another on eth0:0 (in the future I'll continue adding to eth0:1, eth0:2, > etc., etc.) and I would like requests coming in on that new address to > route through the firewall to connect to the internal machine (which has > a private IP.) > > Must rules I find look like this (this example is for pcAnywhere): > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5631 -j DNAT --to-destination $PCANY > iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5632 -j DNAT --to-destination $PCANY > > iptables -t filter -A FORWARD -i eth0 -o eth1 -p tcp -m state --dport 5631 --syn --state NEW -j ACCEPT > iptables -t filter -A FORWARD -i eth0 -o eth1 -p udp --dport 5632 -j ACCEPT > iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > But that assumes the request comes in on the primary (eth0) > address. How can I tell it to listen on the eth0:0 address/interface? If you're trying to DNAT anything sent to eth0:1 to another host, then you can the address of eth0:1 as a qualifier. e.g. iptables --append PREROUTING --table nat --destination <ip-of-eth0:1> -p tcp --dport 5631 -j DNAT --to-destination $PCANY
