Hello,
Dmitri a écrit :
Is there a way to define a condition "those packets whose destination is
the IP address of the given interface" without specifying the actual IP
address? (it changes, thus needs to be detected and updated)
None that I'm aware of.
I want to be able to distinguish those packets addressed to the box, to
be forwarded, from those just passing through it. (-i matches both)
Such packets can be discovered in the INPUT chains, after the "routing
decision", but by then it's too late to do DNAT.
Beware. "Packets addressed to the box (entering the given interface)" is
not the same as "packets whose destination is the IP address of the
given interface". The former means "packets whose destination is the IP
address of ANY local interface". So packets matching a rule such as :
iptables -A INPUT -i <interface> ...
would match not only the former definition but also the latter, and also
broadcasts that the box listens to.
So what do you want to match exactly ?
