Payal Rathod wrote: > On Fri, Jul 16, 2004 at 11:51:54AM +0300, Micha Silver wrote: >> Have you tried Shorewall? http://www.shorewall.net >> You can do it with either DNAT or proxy arp. > > Ok. I will try it. But I am not too fond of using tools for firewall. > Thanks. > -Payal The setup of a Script-only setup isn't too hard. You have to abandon the concept of ip aliases since netfilter dropped support for the concept. You only deal with the root interface and ip addresses. If you want to setup a multi-ip address interface from the command line, you could use something like the following: <Assming you already have $ip0 setup on eth0 and netmask == 24, and gw == $gw> ip addr add $ip1/24 dev eth0 ip addr add $ip2/24 dev eth0 Now, any data sent to 200.1.1.2-4 will be sent to your Firewall. Assuming you have a block-all,accept-selected rule, you'd setup something like the following: iptables -t nat -A PREROUTING --destination $ip1 -p tcp --dport 21 -j DNAT --to $internal_1 iptables -t nat -A PREROUTING --destination $ip1 -p tcp --dport 9001 -j DNAT --to $internal_2 iptables -t nat -A PREROUTING --destination $ip1 -p tcp --dport 80 -j DNAT --to $internal_2 iptables -t nat -A PREROUTING --destination $ip1 -p tcp --dport 25 -j DNAT --to $internal_2 iptables -A FORWARD --destination $internal_1 -p tcp --dport 21 -j ACCEPT iptables -A FORWARD --destination $internal_2 -p tcp --dport 9001 -j ACCEPT iptables -A FORWARD --destination $internal_2 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD --destination $internal_2 -p tcp --dport 25 -j ACCEPT echo "1" > /proc/sys/net/ipv4/forward My example used the same external interface to handle all requests. You can replace the --destination field with any one that you've bound to the external interface.
