Re: [Fwbuilder-discussion] How to use interface instead of IP address?
Brought to you by:
mikehorn
Menu
▾
▴
Re: [Fwbuilder-discussion] How to use interface instead of IP address?
|
From: Vadim K. ✎ <va...@vk...> - 2008-02-09 20:32:26
|
On Feb 9, 2008, at 12:10 PM, Bob Bell wrote: > I'm having trouble getting fwbuilder to generate one of the rules the > way I would like. I have a rule configured in the "NAT" table to > forward SSH connections that arrive on a specific interface (VPN > tunnel). That interface is configured as having a dynamic IP address. > The rule that gets generated is: > test -n "$i_tun0" && $IPTABLES -t nat -A PREROUTING -p tcp -m > tcp > -d $i_tun0 --dport 22 -j DNAT --to-destination 192.168.1.40 > > The difficulty I'm having with that rule is that the IP address can > change over time. Therefore, the value of i_tun0 may become > out-of-date. > > What I'd like to see is a rule that simply made the decision based on > the packet arriving on the interface. That way, the IP address can > change without impacting the rule. Such a rule would be: > $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i tun0 --dport > 22 -j > DNAT --to-destination 192.168.1.40 > > Is there something I can tweak in fwbuilder to get it to generate such > a rule? > I am afraid there is no way to generate rule like this with fwbuilder. You could make your vpn software re-run iptables script whenever it reestablishes the tunnel, just like dhcp client daemon can do it when it gets new dhcp lease. --vk |