local destination interface matching
Henrik Nordstrom
hno@marasystems.com
Thu, 25 Oct 2001 18:40:02 +0200
Nigel Kukard wrote:
> 1. firstly by listing iptables rules with iptables -vnL i see that the default
> interface is set to * , what would be the correct way to set this in a
> script? (apart from leaving it out), i've seen you can use "any" or "+", not
> sure which is most sane. anyone?
From the iptables manual page:
match. If this option is omitted, the string "+"
is assumed, which will match with any interface
name.
but experimenting have shown that this is not actually the case, even if
functionally equivalent.
However, "any" or "*" is not a valid interface name to use for the
option. If you use "any" then iptables will literally match the
interface "any", and "*" is not even accepted as a interface name.
"" appears to be read identically to not specifying any interface
(*/any).
> 2. is there a way i can match a packet that is going to hit a local port other
> than using an IP? i see in the LOG's its interface is just blank, is there
> a way to match this?
The INPUT chain.
> 3. would anyone recommend against using the tcp-window-tracking code? i've read
> the mailing list a few months back & didn't really find any yes/no answers.
Not very widely tested I think, and MAY break some things. But test it
anyway in a lab environment, and if you find it suitable use it.
Regards
Henrik Nordström
MARA Systems AB, Sweden