[lug] fc and iptables
Ken MacFerrin
lists at macferrin.com
Tue Sep 19 12:58:50 MDT 2006
Zan Lynx wrote:
> On Tue, 2006-09-19 at 11:11 -0600, Ken MacFerrin wrote:
> [snip]
>> I'm not sure how you created your virtual interfaces but it's probably
>> worth noting that iptables does not support virtual interfaces created
>> using ifconfig for many operations. The preferred method is to create
>> the interfaces using the "ip" tool from iproute and then provide
>> "labels" such as "eth0:0". The Shorewall folks have some good info here:
>> http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html
>
> I don't believe you can support virtual interfaces of any sort, ifconfig
> or "ip", in iptables. iptables has its own ways of doing the same
> thing.
>
> IP aliases are just IPs. So just use the regular interface name with a
> different IP limit.
>
Good point, Zan.. even using the iproute method I described, the eth0:0
would still just be a label for the second ip address assigned to eth0.
As to the original post.. Any rule that directly refers to the physical
interface "eth0" (ie: using -i eth0) would also affect eth0:1, eth0:2,
etc, so you'll need to use source and destination IP address rules to
control the traffic to each virtual interface separately. Another
iptables "gotcha" when using multiple IPs on the same NIC is that you
cannot provide any subnet security between them. If you have a
192.168.0.x network on eth0 and a 10.x.x.x network on eth0:0, then a
client on your 192 network could just manually change their ip to
10.0.0.2 and access your 10.x network.
-Ken
More information about the LUG
mailing list