INPUT or FORWARD;;
Alistair at nerdnet.ca
Tue Dec 21 07:36:48 CET 2004
On December 20, 2004 08:24 am, Rob Sterenborg wrote:
> netfilter-bounces at lists.netfilter.org wrote:
> >> A multi-homed firewall having at least two interfaces, is known, at
> >> least to itself by those IP/hostnames combos assinged to its
> >> interfaces. <i.e. ppp0 and eth0> So say rules coming from the ppp0
> >> interface into the firewall <INPUT rules> are directed to it's other
> >> name/interface
> >> -i /dev/ppp0 -d /dev/eth0
> > well--those values make no sense whatsoever, but if you're
> > asking if the following is valid:
> > iptables -A INPUT -i ppp0 -d $IP_OF_ETH0 -j ACCEPT
> > then yes. the INPUT chain is traversed by packets destined
> > for a local process (IP addresses). the input interface is
> > just a tag attached to the packet.
> I'm not sure I understand this :
> I agree it's a valid rule (syntax), but I don't think it will ever match
> a packet.
> If -i and -d are specified, they both have to match to accept a packet,
> right ?
> Because <ip_eth0> is not assigned to ppp0, how can -i ppp0 -d <ip_eth0>
> ever match for the INPUT chain ?
In weird cases where one has dual routes to the host.
*cough* like when I first setup my dual routes and was sending stuff out
interfaces with the wrong IP .... one ISP dropped the martians, the other
didn't. It took me a couple of hours to get the wiring correct
*cough* IP_NAT_LOCAL *cough*
Legitimately, one might have two pipes from the same provider, with
different delivery methods, thus different IPs. However in THAT case, one
would drop the interface specification.
More information about the netfilter