On Thu, 20 Jan 2011, Arthur Titeica wrote:
> I'm having some trouble understanding the correct syntax for an iptables rule
> involving ipset.
>
> I need to forward between IPs within the same ipset. So I've tried using
> something like this:
>
> iptables -A FORWARD -i eth0 -o eth0 -m set --match-set testset src,dst -p tcp
> --dport 9000:9020 -j ACCEPT
It'd be good to know the type of "testset". Anyway, if you want to match
the same IPs in both the source and destination directions by a set, then
you should use a rule like this
iptables -A FORWARD -i eth0 -o eth0 \
-m set --match-set testset src \
-m set --match-set testset dst \
-p tcp -dport 9000:9020 -j ACCEPT
The keywords "src" and "dst" instructs the set match which parameter to
grab from the packet ("source IP" or "destination IP") and try to match it
with the elements in the set. If it's a multidimensional set, then
multiple "src", "dst" parameters can be used.
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
