* IP set and match skiping
@ 2010-10-03 9:20 Daniel Dehennin
2010-10-03 19:19 ` Jozsef Kadlecsik
0 siblings, 1 reply; 2+ messages in thread
From: Daniel Dehennin @ 2010-10-03 9:20 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1387 bytes --]
Hello,
Testing xtables-addons[1] 1.30 on a virtual system, I have some
questions for my setup and regarding the xtables-addons next branch[2].
I want to avoid duplication, I have one ipporthash for my DMZ services
(behind a NAT) and would like to be able to skip some tests or fix one
argument:
ipset -N dmz-services ipporthash --network 10.1.1.0/24
ipset -A dmz-services 10.1.1.2,www
ipset -A dmz-services 10.1.1.2,smtp
ipset -A dmz-services 10.1.1.2,ssh
# DNAT by server
# Match only ports
iptables -t nat -A PREROUTING -i internet -m set --match-set dmz-services skip,dst -j DNAT 10.1.1.2
Another this if several dmz servers hosts different services:
# Add a new service for a new host
ipset -A dmz-services 10.1.1.3,kerberos
# Match services hosted on 10.1.1.2
iptables -t nat -A PREROUTING -i internet -m set --match-set dmz-services 10.1.1.2,dst -j DNAT 10.1.1.2
# Match services hosted on 10.1.1.3
iptables -t nat -A PREROUTING -i internet -m set --match-set dmz-services 10.1.1.3,dst -j DNAT 10.1.1.3
Is it a possible-to-add feature?
Regards.
Footnotes:
[1] http://www.baby-gnu.org/debian-asgardr/changelogs/pool/main/x/xtables-addons/xtables-addons_1.30-1/changelog
[2] http://www.spinics.net/lists/netfilter/msg49256.html
--
Daniel Dehennin
Récupérer ma clef GPG:
gpg --keyserver pgp.mit.edu --recv-keys 0x6A2540D1
[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: IP set and match skiping
2010-10-03 9:20 IP set and match skiping Daniel Dehennin
@ 2010-10-03 19:19 ` Jozsef Kadlecsik
0 siblings, 0 replies; 2+ messages in thread
From: Jozsef Kadlecsik @ 2010-10-03 19:19 UTC (permalink / raw)
To: Daniel Dehennin; +Cc: netfilter
On Sun, 3 Oct 2010, Daniel Dehennin wrote:
> I want to avoid duplication, I have one ipporthash for my DMZ services
> (behind a NAT) and would like to be able to skip some tests or fix one
> argument:
>
> ipset -N dmz-services ipporthash --network 10.1.1.0/24
> ipset -A dmz-services 10.1.1.2,www
> ipset -A dmz-services 10.1.1.2,smtp
> ipset -A dmz-services 10.1.1.2,ssh
>
> # DNAT by server
> # Match only ports
> iptables -t nat -A PREROUTING -i internet -m set --match-set dmz-services skip,dst -j DNAT 10.1.1.2
>
> Another this if several dmz servers hosts different services:
>
> # Add a new service for a new host
> ipset -A dmz-services 10.1.1.3,kerberos
>
> # Match services hosted on 10.1.1.2
> iptables -t nat -A PREROUTING -i internet -m set --match-set dmz-services 10.1.1.2,dst -j DNAT 10.1.1.2
> # Match services hosted on 10.1.1.3
> iptables -t nat -A PREROUTING -i internet -m set --match-set dmz-services 10.1.1.3,dst -j DNAT 10.1.1.3
>
> Is it a possible-to-add feature?
No, that's not possible. The internal lookup methods do not support such
wildcards.
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-10-03 19:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-10-03 9:20 IP set and match skiping Daniel Dehennin
2010-10-03 19:19 ` Jozsef Kadlecsik
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.