On Wednesday 21 April 2004 12:39 am, Rodrigo Haces wrote: > Thanks for this, hope this is my last post: > > assuming this will allow all 192.168.1.0/24 go to 192.168.0.0/24 how could > i do if i want not all the subnet, but only 192.168.1.10, i suppose is with > the -s option, but im not sure of how to use this. iptables -A FORWARD -i eth0 -o eth1 -s 192.168.1.10 -j ACCEPT Regards, Antony > > -----Mensaje original----- > > De: netfilter-admin@xxxxxxxxxxxxxxxxxxx > > [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]En nombre de Antony Stone > > Enviado el: Martes, 20 de Abril de 2004 01:33 a.m. > > Para: Netfilter > > Asunto: Re: IP Alias with iptables > > > > On Tuesday 20 April 2004 4:08 am, Rodrigo Haces wrote: > > > New Situation: > > > > > > eth0: 192.168.1.1 Connected to hub 1 > > > eth1: 192.168.0.1 Connected to hub 2 > > > > > > hub 1 is for guests > > > hub 2 is for administrative porposes, and MUST be able to use network > > > 192.168.0.x and 192.168.1.x > > > > So, the firewall needs to allow 192.168.1.0/24 addresses to connect to > > 192.168.0.0/24 but not the other way round. > > > > > so this is something i thought. > > > > > > eth0... 192.168.1.1 netmask 255.255.255.0 > > > eth1... 192.168.0.1 netmask 255.255.0.0 > > > > Doesn't look good. > > > > > eth1:1. 192.168.1.101 netmask 255.255.0.0 > > > > Looks as bad as the first idea, with only one interface. > > > > > my laptop is part of the administrative sector, i have > > > > 192.168.0.10 ip, but > > > > > i need to be able to use also 192.168.1.10 so i can monitor guests, > > > > What is wrong with yur laptop havign just one IP address (that *is* > > conventional, after all), and the firewall allowing it to > > "monitor" addresses > > in the other subnet? Perhaps you should explain more about what > > you mean by > > "monitor"? > > > > > Any ideas > > > > Yes. Have two subnets with separate address ranges, a firewall > > in between, > > and allow one subnet to connect to the other, but not the other way > > round. > > > > eg: > > eth0 192.168.1.1 netmask 255.255.255.0 > > eth1 192.168.0.1 netmask 255.255.255.0 > > > > iptables -P FORWARD DROP > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT > > > > Regards, > > > > Antony. > > > > -- > > Success is a lousy teacher. It seduces smart people into > > thinking they can't > > lose. > > > > - William H Gates III > > > > Please reply > > to the list; > > please > > don't CC me. -- "It would appear we have reached the limits of what it is possible to achieve with computer technology, although one should be careful with such statements; they tend to sound pretty silly in five years." - John von Neumann (1949) Please reply to the list; please don't CC me.
