Dmitri a écrit :
Danny Rathjens wrote:Dmitri wrote:The problem with specifying an IP is that it may change, which breaks the rules and requires an update (and detection as well). Event for a static IP, that's an extra dependency to watch out for.That's what variables in your firewall script are for. Just re-run it when your network connection restarts: EXTIF="eth0" EXTIP=`ifconfig $EXTIF |perl -ne'print $1 if /inet addr:([\d.]+)/'` iptables -A INPUT -j ACCEPT -i $EXTIF -p tcp -d $EXTIP --dport 80Yes, but it's exactly the sort of hack I hoped to avoid. For a perfectly simple expression, now I need to 1) detect that IP changed or connection restarted, and 2) run the hack. There isn't supposed to be any firewall script.
From what you wrote in your messages, I understand that your box serves as a gateway with an ethernet interface on the LAN side and a PPP interface on the WAN side. On the LAN side, a gateway address is not likely to change, so I don't see a reason to worry about changes of the address of the ethernet interface. On the WAN side, pppd can run scripts every time the PPP connection goes up or down and provide them useful information in environment variable such as the IP address, the peer address, the interface name... without the need fo hugly hacks.
It's like SNAT vs. MASQUERADE - MASQUERADE works without any scripts or reloads.
Or not. MASQUERADE does not work in some special cases when advanced routing is used. MASQUERADE is not just SNAT with a dynamic address, it is much more. For example you don't actually tell MASQUERADE "use that interface address" but rather "use the suitable source address for the packet destination".