Hi Rob,
On Fri, 18 Nov 2005, Rob Carlson wrote:
> I would like to be able to forward an ipset tied
> to certain ports to a different machine. I know
> how to create an IPSet and bind that set to
> certain ports-- I would like to be able to forward
> that set to another machine instead of doing a
> straight reject. My aim in the testing is to have
> a machine I can ssh to, from which I can mail,
> and then later verify that the mail sent to my
> firewall gets routed properly.
I'm not completely sure I understand what you want to achieve, but
anyway...
> To this end I created a set and a corresponding
> table-- dischash and DISCHASH
>
> ipset -N disc nethash
> ipset -A dischash xxx.xxx.xxx.xxx/xx
> ipset -N discports portmap --from 1 --to 1024
> ipset -A discports 25
> ipset -B dischash :default: -b discports
> (Here I am not clear if I need the table, but
> created it anyway)
> iptables -N DISCHASH
> (With a straight LTREJECT I would create a
> FORWARD and INPUT, but here, I'm not sure)
> (Then I did this:)
You mean the DISCHASH chain? As you don't use it, the chain is
unnecessary.
> iptables -t nat -A PREROUTING -m set --set
> dischash dst -j DNAT --to-destination --to
> yyy.yyy.yyy.yyy
>
> Now, I can't ssh to the machine in the set, my ssh
> (verified by a traceroute) fails to
> yyy.yyy.yyy.yyy-- which is what I would expect if
> I didn't have the ipset bound to port 25.
The ipset is bound to the port, but you did not instruct the set matching
to follow the bindings up to the level you want. You should have typed
iptables -t nat -A PREROUTING -m set --set \
dischash dst,dst -j DNAT --to-destination --to yyy.yyy.yyy.yyy
^^^^^^^
i.e instruct the set matching to follow one level of bindings and at that
level apply destination matching. Without this, the set matching checked
the dischash set alone and the NAT rule was applied according to the
result.
> I tried several iterations of this last command (verifying my insanity)
> and now when I do:
>
> iptables -L -t nat
> I get entries at the end reading:
> DNAT all -- anywhere anywhere
> set dischash dst to:xxx.xxx.xxx.xxx
>
> So,
> Is there syntax to clear single DNAT entries
> without flushing ALL prerouting?
You can delete any rule anytime. However, you cannot change the
NAT-related parameters of the living connections known by conntrack. They
must die out (or you can kill the corresponding conntrack entry by the new
'conntrack' tool.)
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
