Re: Iptables and ip aliasing?

---

• From: James Gray <james.gray@xxxxxxxxxx>
• Date: Thu, 01 Mar 2007 04:26:38 +1100

---

Andreas wrote:

Hi,
I've got a firewall with 3 interfaces on, one internal nic, one external and one for the dmz.

Today we only have one ip address, which is a fully routable address on the external nic. But we're expanding and getting a whole c-class net. I know that I can use ip aliases to replicate the external nic with more addresses, like this:
eth0:1
eth0:2
etc

But I've read somewhere that Iptables does not work with ip aliases. How do I make my firewall have say 5 ip addresses on the external nic, with iptables working? Is it possible?

It's possible and it works, but there is one notable limitation; the "virtual" interfaces have the same MAC address as the "real" interface. So if you plan on doing granular layer-2 (MAC address) filtering, you may have problems.

Other than that, there's nothing particularly difficult about your plans;
1. get class-C network
2. Add virtual interfaces to ethX:Y
3. Create iptables rules for different IP's as you would normally

FWIW, I've never tried doing "interface" rules using virtual interfaces, ie,

iptables -A INPUT -i ethX:Y ....

So I have no idea if that would work, but considering the MAC limitation, and the fact the virtual interface only has a single IP, I really can't see much point in the idea ;).

The other thing I haven't tried is creating a rule to match all traffic on the real interface AND all the virtual interfaces in one rule (ie, ethX and all ethX:Y). I guess, you could simply match on MAC address in the destination of the INPUT/OUTPUT/FORWARD chain, but once again, I think there are better ways to achieve this.

Cheers,

James

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

---

• Follow-Ups:
  • Re: Iptables and ip aliasing?
    • From: Andreas

• References:
  • Iptables and ip aliasing?
    • From: Andreas

• Prev by Date: Re: How do I submit a Device report to the database
• Next by Date: sound lost completely - again
• Previous by thread: Iptables and ip aliasing?
• Next by thread: Re: Iptables and ip aliasing?
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Multiple IPs on single interface ... virtual interfaces, to simply alias the IPs using the "ip addr add" ... >> addresses using the following commands, ... (RedHat) Re: Help ... To assign multiple IPs to one interface you can use virtual interfaces. ... assign a IP to a virtual interface is the same as to a normal interface ... (comp.os.linux.networking) Re: Exim default interface ... |>I have a server with a single interface, and 3 virtual interfaces ... |>IP address of the primary interface (eth0). ... |>going out on one of the virtual interfaces. ... (Debian-User) Re: Problems with urlconnection ... Testbm wrote: ... > i have a host with 2 virtual interfaces. ... turn off one of the interfaces. ... (comp.lang.java.programmer) Re: keyboard workstation vs. controller + PC for the hobbyist composer ... Apple Logic Studio seems quite ... When it comes to interfaces, you have three different ways to go -- USB, ... This is because with the Mac at under ten percent of the market and Apple ... (rec.music.makers.synth)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

linux.derkeiler.com  > Mailing-Lists  > Ubuntu  > 2007-02