Benjamin Smith wrote: > Ok, > > I have a challenge - get two services working over a single port. (!) > Sometimes it's a web service, sometimes it's a VNC service. Here's what > I had in mind: > > 1) Server is normally a webserver listening on port 80, and normally has > the following rules active: > > # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > # iptables -t nat -A POSTROUTING -j MASQUERADE > > 2) Server hosts a special PHP script, that when called correctly, sets > rules like > > # iptables -I PREROUTING -p tcp -s $REMOTE --dport 80 -j DNAT > --to-destination $FWIP:$FWPORT > > # iptables -I FORWARD -p tcp -s $REMOTE --dport 80 -j ACCEPT > > The *next* tcp connection from their computer to the webserver will get > NAT'd to service $FWIP:$FWPORT. > > But I want this rule cleared out as soon as the connection is made with > the latter altered rules. Is there a way to write a rule or set of rules > that, when activated, then delete themselves? The "ESTABLISHED,RELATED" > rule should keep the connection alive even after the latter rules are > killed, right? > > Is this possible? Am I just out in left field? Without knowing your reasons for doing this, i would stick my neck out and say ... Have a look at port knocking - it looks like you are trying to either decrease your visibility, or mitigate a situation where you have no control over an intermediate firewall that only passes port 80 Regards, MrKiwi