[lug] help with iptables
Zan Lynx
zlynx at acm.org
Tue Feb 22 17:47:20 MST 2011
On 2/22/11 5:18 PM, Carl Wagner wrote:
> Thanks Zan.
>
> This works:
> iptables -t nat -A POSTROUTING -s {local IP of this box} -o eth0 -j ACCEPT
>
> Is there something more generic that I can use for -s, like "IP address of eth0" ?
> (otherwise I will need slightly a slightly different firewall script on my two load balancers.
Well, what is usually done is the use a source address restriction on
the SNAT rule. I don't know if that would work for you.
The trick is that the source address the router chooses for its own
packets that are heading outward is not usually the same address it uses
for the internal interface. The POSTROUTING rule will see the address
for the external interface.
So you can usually make a rule that is vagely like -o EXTERNAL -s
INTERNAL_NET/24 -j SNAT --to-address EXTERNAL_IP
--
Zan Lynx
zlynx at acm.org
"Knowledge is Power. Power Corrupts. Study Hard. Be Evil."
More information about the LUG
mailing list