The iptables-utils package is a fantastic piece of software. It allows me to manage remote firewalls with confidence. Recently, I had to set up a firewall for an ADSL-connected site, where they use the MASQUERADE target. They also want a few ports forwarded to specific hosts on the internal network. I want my ppp linkup script (/etc/ppp/ip-up in Gentoo Linux) to generate iptables.conf.var, adding a line like this: #define MY_ADDR 196.31.31.10 Then I want iptables-gen to regenerate the ruleset, given rules like this in iptables.conf.in: -A PREROUTING -p tcp \ -d MY_ADDR --dport 2222 -j DNAT --to-destination 10.0.0.2:22 -A POSTROUTING -p tcp \ -s 10.0.0.2 --sport 22 -j SNAT --to-source MY_ADDR:2222 However, the current implementation of iptables-gen (in iptables-utils-1.20) only substitutes defined variables that are immediately followed by whitespace of end of line. It doesn't substitute defined variables that are immediately followed by a colon (:). Therefore, I propose the attached patch to iptables-gen.in, which includes the colon (:) as a legal delimiter for defined variables. Ciao, Sheldon.
Sheldon Hearn wrote:
The iptables-utils package is a fantastic piece of software. It allows me to manage remote firewalls with confidence.
Recently, I had to set up a firewall for an ADSL-connected site, where they use the MASQUERADE target. They also want a few ports forwarded to specific hosts on the internal network.
I want my ppp linkup script (/etc/ppp/ip-up in Gentoo Linux) to generate iptables.conf.var, adding a line like this:
#define MY_ADDR 196.31.31.10
Then I want iptables-gen to regenerate the ruleset, given rules like this in iptables.conf.in:
-A PREROUTING -p tcp \ -d MY_ADDR --dport 2222 -j DNAT --to-destination 10.0.0.2:22 -A POSTROUTING -p tcp \ -s 10.0.0.2 --sport 22 -j SNAT --to-source MY_ADDR:2222
However, the current implementation of iptables-gen (in iptables-utils-1.20) only substitutes defined variables that are immediately followed by whitespace of end of line. It doesn't substitute defined variables that are immediately followed by a colon (:).
Therefore, I propose the attached patch to iptables-gen.in, which includes the colon (:) as a legal delimiter for defined variables.
Ciao, Sheldon.
Hi Sheldon, Thanks for the patch, applied. The next iptables-utils release will contain it. Regards, -- Sandor Geller wildy@balabit.hu
participants (2)
-
Gellér Sándor
-
Sheldon Hearn