INPUT or FORWARD;;
Alistair Tonner
Alistair at nerdnet.ca
Tue Dec 21 07:36:48 CET 2004
On December 20, 2004 08:24 am, Rob Sterenborg wrote:
> netfilter-bounces at lists.netfilter.org wrote:
> >> A multi-homed firewall having at least two interfaces, is known, at
> >> least to itself by those IP/hostnames combos assinged to its
> >> interfaces. <i.e. ppp0 and eth0> So say rules coming from the ppp0
> >> interface into the firewall <INPUT rules> are directed to it's other
> >> name/interface
> >>
> >> -i /dev/ppp0 -d /dev/eth0
> >
> > well--those values make no sense whatsoever, but if you're
> > asking if the following is valid:
> >
> > iptables -A INPUT -i ppp0 -d $IP_OF_ETH0 -j ACCEPT
> >
> > then yes. the INPUT chain is traversed by packets destined
> > for a local process (IP addresses). the input interface is
> > just a tag attached to the packet.
>
> I'm not sure I understand this :
> I agree it's a valid rule (syntax), but I don't think it will ever match
> a packet.
>
> If -i and -d are specified, they both have to match to accept a packet,
> right ?
> Because <ip_eth0> is not assigned to ppp0, how can -i ppp0 -d <ip_eth0>
> ever match for the INPUT chain ?
>
In weird cases where one has dual routes to the host.
*cough* like when I first setup my dual routes and was sending stuff out
interfaces with the wrong IP .... one ISP dropped the martians, the other
didn't. It took me a couple of hours to get the wiring correct
*cough* IP_NAT_LOCAL *cough*
Legitimately, one might have two pipes from the same provider, with
different delivery methods, thus different IPs. However in THAT case, one
would drop the interface specification.
Alistair Tonner
>
> Gr,
> Rob
More information about the netfilter
mailing list