Yes good point about privacy, Based on your answer should the rule work if I moved it to the end after the other NAT rules? Is this the correct way to do it? -----Original Message----- From: Jan Engelhardt [mailto:jengelh@xxxxxxxxxx] Sent: Friday, June 24, 2011 2:39 PM To: Mark Mitchell Cc: netfilter@xxxxxxxxxxxxxxx Subject: Re: Help on how to limit a NAT port forward to just a range of IP addresses On Friday 2011-06-24 19:45, Mark Mitchell wrote: >Outside IP : 173.49.xx.xxx (xx for privacy reasons) Privacy, what privacy? Your network addresses are contained in both your mail headers and the WHOIS db. (173.49.38.128-143) >Internal IP : 192.168.1.22 > >iptables -I FORWARD 10 -i eth1 -d 192.168.1.22 -p tcp --dport 11211 -j ACCEPT >iptables -A PREROUTING -t nat -p tcp --dport 11211 -d 173.49.xx.xxx -j >DNAT --to 192.168.1.22:11211 >iptables -A POSTROUTING -t nat -p tcp -s 192.168.1.22 --dport 11211 -j >SNAT --to 173.49.xx.xxx >iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.22 --dport 11211 -s >192.168.1.0/24 -j SNAT --to 192.168.1.1 > >What I am trying to figure out is how to limit this port forward to >just a couple ranges of IP addresses. > >I tried adding the rule after the FORWARD command but it did not change >anything. I could still hit the port from any IP address. Because you still have the other three nat rules. >iptables -A INPUT -p tcp --dport 11211 -d 173.49.xx.xxx -m iprange >--src-range 74.205.xx.x-74.205.xx.x -j ACCEPT -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
