Iptables and ip aliasing?

[James Gray]

Andreas wrote:
> Hi,
> I've got a firewall with 3 interfaces on, one internal nic, one external 
> and one for the dmz.
> 
> Today we only have one ip address, which is a fully routable address on 
> the external nic. But we're expanding and getting a whole c-class net. I 
>   know that I can use ip aliases to replicate the external nic with more 
> addresses, like this:
> eth0:1
> eth0:2
> etc
> 
> But I've read somewhere that Iptables does not work with ip aliases. How 
> do I make my firewall have say 5 ip addresses on the external nic, with 
> iptables working? Is it possible?

It's possible and it works, but there is one notable limitation; the 
"virtual" interfaces have the same MAC address as the "real" interface. 
  So if you plan on doing granular layer-2 (MAC address) filtering, you 
may have problems.

Other than that, there's nothing particularly difficult about your plans;
1. get class-C network
2. Add virtual interfaces to ethX:Y
3. Create iptables rules for different IP's as you would normally

FWIW, I've never tried doing "interface" rules using virtual interfaces, ie,

iptables -A INPUT -i ethX:Y ....

So I have no idea if that would work, but considering the MAC 
limitation, and the fact the virtual interface only has a single IP, I 
really can't see much point in the idea ;).

The other thing I haven't tried is creating a rule to match all traffic 
on the real interface AND all the virtual interfaces in one rule (ie, 
ethX and all ethX:Y).  I guess, you could simply match on MAC address in 
the destination of the INPUT/OUTPUT/FORWARD chain, but once again, I 
think there are better ways to achieve this.

Cheers,

James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3253 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070301/ad13a617/attachment.bin>