On Thu, 20 Jan 2011 23:20:16 +0100 (CET), Jozsef Kadlecsik wrote:
On Thu, 20 Jan 2011, Arthur Titeica wrote:
I'm having some trouble understanding the correct syntax for an
iptables rule
involving ipset.
I need to forward between IPs within the same ipset. So I've tried
using
something like this:
iptables -A FORWARD -i eth0 -o eth0 -m set --match-set testset
src,dst -p tcp
--dport 9000:9020 -j ACCEPT
It'd be good to know the type of "testset". Anyway, if you want to
match
the same IPs in both the source and destination directions by a set,
then
you should use a rule like this
iptables -A FORWARD -i eth0 -o eth0 \
-m set --match-set testset src \
-m set --match-set testset dst \
-p tcp -dport 9000:9020 -j ACCEPT
The keywords "src" and "dst" instructs the set match which parameter
to
grab from the packet ("source IP" or "destination IP") and try to
match it
with the elements in the set. If it's a multidimensional set, then
multiple "src", "dst" parameters can be used.
Thanks for replying. The ipsets used are hash:ip so no wonder it
doesn't work as I thought.
In my defence the misleading part was the online iptables man [
http://ipset.netfilter.org/iptables.man.html ] which isn't quite clear.
--
Arthur Titeica
PharmEc Software Constanta
Mobil: 0729 290 969
Tel: 0241 616 747
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html