Hi, Angus and Andreas. Ok. After discussion I must agree with you that forcing HTTP request to go from specific interface is good way to solve my problem.
So go to solution: http.c function get_connection has hardcoded our_host = NULL, binding not forced now. I propose add configuration variable (http-interface-name?) and use it as value for our_host. Do you agree with it? I can write patch for this.
Angus M Wood wrote:
On Fri, 06 Jun 2003 08:24:37 +0300, Vjacheslav Chekushin <[EMAIL PROTECTED]> wrote:
Hi, Angus.
Yes, it is simple solution, if I have one WAP gateway on host.
But once more: I talking about MANY gateways bound to different external
interfaces on ONE host. For routing to private network I use only one interface,
so all connection to private network from ALL wap gateways go through this
interface. And how do you plan allow connection from some WAP gateways,
denying it from others with iptables?
Well, assuming that the packets are emitted with the source IP set to that of the address the WAP gateway is bound to (rather than an INADDR_ANY bind() ), then its an
iptables -A OUTPUT -t filter -s <ip of interface its bound to> -o <interface name of private lan> -j DROP
and then to let one through, you can just
iptables -I OUTPUT -t filter -s <good ip> -o <priv interface> -j ACCEPT
However, if they're not emitted with that IP, then I'd ook at the "owner match" stuff, and run the special WAP gateway under a different UID from the others. Remember that pretty much anything is possible with IPtables.
See http://iptables-tutorial.frozentux.net/iptables-tutorial.html for more information.
Regards, _Gus
-- Vjacheslav Chekushin mailto:[EMAIL PROTECTED] Latvian Mobile Phone Company http://www.lmt.lv
