Re: interface vs ip

[Mariusz Kruk <kruk@rdc.pl>]

P theodorou napisa³(a):
> Im new to this therefore i need to clarify the followings
> 
> 1)can i send or recieve packets from interface to ip and vise versa
> 
> or  only to interfaces and only to ips
> 
> 2)
> 
> I want to let icmp packets from 192.168.0.1(eth1) to 192.168.1.1(eth2)
> 
> is it safer to declare
> 
> iptables -A INPUT  -i eth1   -o eth2 -J ACCEPT
> 
> or
> iptables -A INPUT -s 192.168.0.1 -d 192.168.1.1

It depends on what you really want to do. If you want to control the 
flow on the level of physical interfaces, you use -i and -o. If you want 
to control on the level of IP addresses, you use -s and -d. But that you 
already know. You can also combine both forms to, for example, filter 
out traffic which comes from a physical interface, but from IP's not 
belonging to this network. Or other similar things.
Anyway, it's up to you to decide which form is apropriate for what you 
want to achieve.
Remember tho, that you can use -s and -d in any table/chain (correct me 
if I'm wrong) regardless of whether it makes sense or not (already 
NATted or not yet and so on), but physical interfaces are limited to 
those tables/chains they make sense in. So you cannot use input 
interface in POSTROUTING because netfilter simply doesn't know which 
interface the packet came from.