Re: matching -d to a given interface without specifying ip address

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

Dmitri a écrit :
> Danny Rathjens wrote:
> 
>> Dmitri wrote:
>>
>>> The problem with specifying an IP is that it may change, which breaks 
>>> the rules and requires an update (and detection as well). Event for a 
>>> static IP, that's an extra dependency to watch out for.
>>
>> That's what variables in your firewall script are for.
>> Just re-run it when your network connection restarts:
>> EXTIF="eth0"
>> EXTIP=`ifconfig $EXTIF |perl -ne'print $1 if /inet addr:([\d.]+)/'`
>> iptables -A INPUT -j ACCEPT -i $EXTIF -p tcp -d $EXTIP --dport 80
> 
> Yes, but it's exactly the sort of hack I hoped to avoid. For a perfectly 
> simple expression, now I need to 1) detect that IP changed or connection 
> restarted, and 2) run the hack. There isn't supposed to be any firewall 
> script.

 From what you wrote in your messages, I understand that your box serves 
as a gateway with an ethernet interface on the LAN side and a PPP 
interface on the WAN side. On the LAN side, a gateway address is not 
likely to change, so I don't see a reason to worry about changes of the 
address of the ethernet interface. On the WAN side, pppd can run scripts 
every time the PPP connection goes up or down and provide them useful 
information in environment variable such as the IP address, the peer 
address, the interface name... without the need fo hugly hacks.

> It's like SNAT vs. MASQUERADE - MASQUERADE works without any scripts or 
> reloads.

Or not. MASQUERADE does not work in some special cases when advanced 
routing is used. MASQUERADE is not just SNAT with a dynamic address, it 
is much more. For example you don't actually tell MASQUERADE "use that 
interface address" but rather "use the suitable source address for the 
packet destination".