Hi all,
I have a 2 part question. The first is how to do
something, the second is how do I clear up my
failed attempts to accomplish the first.
I would like to be able to forward an ipset tied
to certain ports to a different machine. I know
how to create an IPSet and bind that set to
certain ports-- I would like to be able to forward
that set to another machine instead of doing a
straight reject. My aim in the testing is to have
a machine I can ssh to, from which I can mail,
and then later verify that the mail sent to my
firewall gets routed properly.
To this end I created a set and a corresponding
table-- dischash and DISCHASH
ipset -N disc nethash
ipset -A dischash xxx.xxx.xxx.xxx/xx
ipset -N discports portmap --from 1 --to 1024
ipset -A discports 25
ipset -B dischash :default: -b discports
(Here I am not clear if I need the table, but
created it anyway)
iptables -N DISCHASH
(With a straight LTREJECT I would create a
FORWARD and INPUT, but here, I'm not sure)
(Then I did this:)
iptables -t nat -A PREROUTING -m set --set
dischash dst -j DNAT --to-destination --to
yyy.yyy.yyy.yyy
Now, I can't ssh to the machine in the set, my ssh
(verified by a traceroute) fails to
yyy.yyy.yyy.yyy-- which is what I would expect if
I didn't have the ipset bound to port 25. I tried
several iterations of this last command (verifying
my insanity) and now when I do:
iptables -L -t nat
I get entries at the end reading:
DNAT all -- anywhere anywhere
set dischash dst to:xxx.xxx.xxx.xxx
So,
Is there syntax to clear single DNAT entries
without flushing ALL prerouting?
And is there syntax which will allow me to reroute
traffic from a particular ipset going only to
bound ports (i.e. mail) to a second address?
Thanks very much for any help.
Rob Carlson
