20.01.2011 21:38, Arthur Titeica ÐÐÑÐÑ:
Hello
I'm having some trouble understanding the correct syntax for an
iptables rule involving ipset.
I need to forward between IPs within the same ipset. So I've tried
using something like this:
iptables -A FORWARD -i eth0 -o eth0 -m set --match-set testset src,dst
-p tcp --dport 9000:9020 -j ACCEPT
However this allows forwarding to all the eth0 network for the
'testset' IPs.
Instead
iptables -A FORWARD -i eth0 -o eth0 -m set --match-set testset src -m
set --match-set testset dst -p tcp --dport 9000:9020 -j ACCEPT
seems to do what I need but I'm not 100% certain.
Anyone with a better understanding?
iptables v1.4.10
ipset v5.3.
Thank you.
Unfortunately, the flags src|dst[, src|dst...] do another work than 90%
of people that new to ipset suppose to.
Some of them think the rule 'iptables -A FORWARD -m set --set something
src, dst -j SOMEWHERE' is a shortcut to 'iptables -A FORWARD -m set
--set something src -j SOMEWHERE; iptables -A FORWARD -m set --set
something dst -j SOMEWHERE' or something like that.
Just read the man of ipset section of iptables and then you'll know what
these flags do.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
