Iptables and ip aliasing?
James Gray
james.gray at dot.com.au
Wed Feb 28 17:26:38 UTC 2007
Andreas wrote:
> Hi,
> I've got a firewall with 3 interfaces on, one internal nic, one external
> and one for the dmz.
>
> Today we only have one ip address, which is a fully routable address on
> the external nic. But we're expanding and getting a whole c-class net. I
> know that I can use ip aliases to replicate the external nic with more
> addresses, like this:
> eth0:1
> eth0:2
> etc
>
> But I've read somewhere that Iptables does not work with ip aliases. How
> do I make my firewall have say 5 ip addresses on the external nic, with
> iptables working? Is it possible?
It's possible and it works, but there is one notable limitation; the
"virtual" interfaces have the same MAC address as the "real" interface.
So if you plan on doing granular layer-2 (MAC address) filtering, you
may have problems.
Other than that, there's nothing particularly difficult about your plans;
1. get class-C network
2. Add virtual interfaces to ethX:Y
3. Create iptables rules for different IP's as you would normally
FWIW, I've never tried doing "interface" rules using virtual interfaces, ie,
iptables -A INPUT -i ethX:Y ....
So I have no idea if that would work, but considering the MAC
limitation, and the fact the virtual interface only has a single IP, I
really can't see much point in the idea ;).
The other thing I haven't tried is creating a rule to match all traffic
on the real interface AND all the virtual interfaces in one rule (ie,
ethX and all ethX:Y). I guess, you could simply match on MAC address in
the destination of the INPUT/OUTPUT/FORWARD chain, but once again, I
think there are better ways to achieve this.
Cheers,
James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3253 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070301/ad13a617/attachment.bin>
More information about the ubuntu-users
mailing list