[lug] fc and iptables
Ken MacFerrin
lists at macferrin.com
Tue Sep 19 11:11:57 MDT 2006
D. Stimits wrote:
> This is an offshoot of trying to get DHCP to work on a backup
> machine...have not yet been able to try some of the other things,
> although I was able to install outside drivers to at least make the
> realtek ethernet show up.
>
> I'm wondering about the notation in fedora/redhat style
> /etc/sysconfig/iptables file. There is an abbreviation by which it
> abstracts naming of inputs. For example:
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :LOOP-INPUT - [0:0]
>
> I'm interested in the "[0:0]" notation. If I have more than 1 NIC, or
> aliases of a NIC, can I use this to differentiate between them? If so,
> would 0:0 stand for the main non-alias interface of the first NIC? Would
> 1:0 stand for the main non-aliased interface of the 2nd NIC? Or would
> 0:1 stand for the first aliased interface of the first NIC? I can see
> quite a potential for customizing based on this, if there is that much
> fine control over it. For the moment I'm just interested in making sure
> DHCP is allowed on one NIC but not another...or on one IP alias of a NIC
> and not the other aliased IP.
>
> D. Stimits, stimits AT comcast DOT net
I'm not sure how you created your virtual interfaces but it's probably
worth noting that iptables does not support virtual interfaces created
using ifconfig for many operations. The preferred method is to create
the interfaces using the "ip" tool from iproute and then provide
"labels" such as "eth0:0". The Shorewall folks have some good info here:
http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html
-Ken
More information about the LUG
mailing list