[CentOS] This firewall rule will self-destruct

John Summerfield debian at herakles.homelinux.org
Sun Mar 18 05:11:06 UTC 2007

Benjamin Smith wrote:
> Ok, 
> I have a challenge - get two services working over a single port. (!) Sometimes it's a web service, sometimes it's a VNC service. Here's what I had in mind: 

Let's step back; what problem are you trying to solve? It seems to me 
this odd requirement might not be the best solution.

> 1) Server is normally a webserver listening on port 80, and normally has the following rules active: 
> # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> # iptables -t nat -A POSTROUTING -j MASQUERADE 
> 2) Server hosts a special PHP script, that when called correctly, sets rules like 
> # iptables -I PREROUTING -p tcp -s $REMOTE --dport 80 -j DNAT --to-destination $FWIP:$FWPORT
> # iptables -I FORWARD -p tcp -s $REMOTE --dport 80 -j ACCEPT 
> The *next* tcp connection from their computer to the webserver will get NAT'd to service $FWIP:$FWPORT. 
> But I want this rule cleared out as soon as the connection is made with the latter altered rules. Is there a way to write a rule or set of rules that, when activated, then delete themselves? The "ESTABLISHED,RELATED" rule should keep the connection alive even after the latter rules are killed, right? 
> Is this possible? Am I just out in left field? 
> ------------------------------------------------------------------------
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos



-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu

Please do not reply off-list

More information about the CentOS mailing list