Quote:
Since IPTables is always used to eg. block stuff TO the machine it's being run on
|
Not so, iptables is used to manipulate/filter packets passing through the kernel tcp/ip stack. These packets can travel in any direction:
Packets that are destined FOR the iptables host (INPUT),
Packets generated BY the iptables host (OUTPUT)
Packets passing THROUGH the iptables host as it is being routed (FORWARD).
The --destination (-d) option allows you to match packets by the address they are destined for, rather than the address they are coming from. -d rules would appear more often in FORWARD rules (routed traffic) than they would in INPUT/OUTPUT rules.
Say you have iptables running on a router in a school, on one subnet you have a LAN with student, teacher, and admin machines, on another subnet you have a DMZ with some servers, and then you have a WAN connection to the internet.:
Code:
iptables -A FORWARD -i $lan_if -o $dmz_if -s $admin_ip -d $server_subnet -p tcp --dport 22 -j ACCEPT
Assuming a default policy that will drop unmatched packets. This rule will allow packets from the administrator IP address in $admin_ip destined for the DMZ subnet on SSH port 22.
Iptables is designed to be able to match packets by pretty much any conceivable pattern, so it is completely valid to include -d options in any appropriate rule, whether its necessary or not. In my example above, the -i, and -o options could be omitted. Or alternatively, the -d and -i could be omitted (of course that's unverified since this a hypothetical example).