iptables - allow pings to forwarded group
 

I use a linux box as my NAT router for my LAN. I am setting up port forwarding on port 6111 to internal LAN client 192.168.0.105 for an online game. This is triggered with a set of conditions (not the subject of this post). I want to only allow pings from the outside of my network to those that are participating in the game. For the duration of the game, I plan on adding the following iptables rules. Will this work?

$IPT -A PREROUTING -i eth1 -p tcp -m tcp --dport 6111 -j DNAT --to-destination 192.168.0.105:6111
$IPT -A FORWARD -d 192.168.0.105 -i eth1 -p tcp -m tcp --dport 6111 -m recent --set --rsource --name gamepool -j ACCEPT

$IPT -I INPUT -i eth1 -p icmp -m recent --rcheck --name gamepool -j ACCEPT

(assuming $IPT is /sbin/iptables and my external interface is eth1).

Thanks

Well, nobody gave me the lazy way out...

Those rules worked OK with one correction: I had to specify the table for the PREROUTING rule.

$IPT -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 6111 -j DNAT --to-destination 192.168.0.105:6111
$IPT -A FORWARD -d 192.168.0.105 -i eth1 -p tcp -m tcp --dport 6111 -m recent --set --rsource --name gamepool -j ACCEPT

$IPT -I INPUT -i eth1 -p icmp -m recent --rcheck --name gamepool -j ACCEPT

The above rules look for those outsiders that connect via port 6111, and put their IP addresses into the pool gamepool. Then they can ping the machine 192.168.0.105. Of course, I set this up so that there is only a limited amount of time that these rules are in force.

In case anyone else ever cares.