well you can't - to the best of my knowledge. And I cannot see the reason for wanting it. The idea of using -i and -o in FORWARD chain is to specify the direction traffic is allowed to go. It could be that firewall is blocking all outgoing traffic. Omitting -i and -o would allow the internal server to initiate traffic to port 23 anywhere in the internet. Virtual interface is for assigning additional IP-s to same interface, so any rules regarding interface still apply to the whole of physical network card. -vahur James Pifer wrote: > On Thu, 2008-04-24 at 17:27 +0300, Vahur Jõesalu wrote: >> hmm, if I understood you correctly, then this should work just fine (on >> linux firewall): >> >> /sbin/iptables -t nat -I PREROUTING -p tcp --dport 23 -j DNAT \ >> --to telnetserverip:port-number >> /sbin/iptables -I FORWARD -i external_interface -o internal_interface \ >> -p tcp -d telnetserverip --dport portnumberontelnetserver -j ACCEPT >> >> after a reboot or firewall service restart it's gone again. >> >> -vahur > > Sorry to jump in on someone else's thread, but... How do you do this if > the interface you want to use is a virtual? Meaning it's eth0:1 for > example? The -i parameter will not let you use that. > > Thanks, > James > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos