[ILUG-BOM] Iptables Query

Mehul Ved mehul.n.ved at gmail.com
Thu Aug 6 20:46:53 IST 2009


On Thu, Aug 6, 2009 at 3:31 PM, Rony<gnulinuxist at gmail.com> wrote:
> I will have 2 interfaces, one to the internet and one to the LAN. So how
> will iptables forward the request? Do I need to specify the interface
> too? The interface (Call it LAN) pointing to the LAN will be 192.168.1.1
> as all pcs are currently connected to MTNL ADSL directly. The interface
> that will now connect to MTNL (Call it NET) will be made 192.168.0.2 and
> MTNL's LAN IP will be changed to 192.168.0.1. Since all pcs are using
> static IP, changing everyone's settings is a longer procedure.

There are 2 ways.
1) Use source and desination in the rule
Here's it's snippet from the iptable's man page
-----xxxxx-----
 -s, --source [!] address[/mask]
              Source  specification.   Address  can be either a
network name, a hostname (please note that specifying any name to be
resolved with a remote query such as DNS is a really bad  idea),  a
network  IP  address  (with/mask),  or  a  plain  IP address.  The
mask can be either a network mask or a plain number, specifying the
number of 1’s at the left side of the network mask.  Thus, a mask of
24 is equivalent to 255.255.255.0.   A "!"  argument before the
address specification inverts the sense of the address. The flag --src
is an alias for this option.
-d, --destination [!] address[/mask]
              Destination specification.  See the description of the
-s (source) flag for a detailed description  of  the syntax.  The flag
--dst is an alias for this option.
-----xxxxx-----

2) Use the input and output interface names
Again, snippets from the man page.
----xxxxx----
 -i, --in-interface [!] name
              Name of an interface via which a packet was received
(only for packets entering the INPUT, FORWARD and PRE‐ROUTING
chains).   When the "!" argument is used before the interface name,
the sense is inverted.  If the interface name ends in a "+", then any
interface which begins with this name will match.  If this option is
omitted, any interface name will match.
-o, --out-interface [!] name
              Name  of  an interface via which a packet is going to be
sent (for packets entering the FORWARD, OUTPUT and POSTROUTING
chains).  When the "!" argument is used before the interface name, the
sense is  inverted.   If the  interface  name  ends  in  a  "+", then
any interface which begins with this name will match.  If this option
is omitted, any interface name will match.
-----xxxxx-----

I was pointed to http://iptables-tutorial.frozentux.net/ when I had
gone to IRC to ask for some help on iptables. It might help you too.

-- 

History is curious stuff You'd think by now we had enough Yet the fact
remains I fear They ma...  -
http://kingsly.net/tmp/fortune.php/1249525885


More information about the Linuxers mailing list