Hello, Mark Mitchell a écrit : > I have the following ruleson my firewall (Edgewater Networks Hardware) > that do a global port forward of port 11211 to an internal host. > What I am trying to figure out is how to limit this port forward to > just a couple ranges of IP addresses. > > Outside IP : 173.49.xx.xxx (xx for privacy reasons) > Internal IP : 192.168.1.22 > > iptables -I FORWARD 10 -i eth1 -d 192.168.1.22 -p tcp --dport 11211 -j ACCEPT > iptables -A PREROUTING -t nat -p tcp --dport 11211 -d 173.49.xx.xxx -j DNAT --to 192.168.1.22:11211 > iptables -A POSTROUTING -t nat -p tcp -s 192.168.1.22 --dport 11211 -j SNAT --to 173.49.xx.xxx > iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.22 --dport 11211 -s 192.168.1.0/24 -j SNAT --to 192.168.1.1 > > I tried adding the rule after the FORWARD command but it did not > change anything. I could still hit the port from any IP address. > > iptables -A INPUT -p tcp --dport 11211 -d 173.49.xx.xxx -m iprange --src-range 74.205.xx.x-74.205.xx.x -j ACCEPT Why in the INPUT chain ? Forwarded packets don't go through that chain. The source address restriction should be added to the first rule in the above ruleset : iptables -I FORWARD 10 -i eth1 -d 192.168.1.22 -p tcp --dport 11211 \ -m iprange --src-range 74.205.xx.x-74.205.xx.x -j ACCEPT -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
