On Friday 03 January 2003 02:28 pm, Steve M Bibayoff wrote: > Is it possible to use iptables with a device alias > (ex.. eth0:1)? I tries to add a filter rule and got > an error: > % iptables -t filter -I INPUT -i eth0:1 -j ACCEPT > Warning: wierd character in interface `eth0:1' (No > aliases, :, ! or *). Well, the warning says it pretty clearly, it seems. However, I have an idea on this. Actually three, presented in order from simplest to most complicated. Solution #1: Since this is the INPUT chain, then the local machine clearly is the destination. (unless you are using the REDIRECT target in nat PREROUTING) I suggest you try something like: iptables -A INPUT -i eth0 -d a.b.c.d... iptables -A INPUT -i eth0 -d e.f.g.h... This should catch the two aliased IP's independantly. Now if this were FORWARD chain traffic, this test wouldn't work, since the destination IP can in principle be anything at all, but by definition will NOT be an IP of the local box. Even if it originally WAS addressed to this box, to appear in FORWARD it would have to be DNATted, and would then have the new IP. Solution #2: If eth0 is local, then I presume you have two different subnets connected to it, and want it to respond to both. If this is the case, then you could test for which subnet the source IP is in rather than which destip is used. Testing the source ip range would work in both INPUT and FORWARD chains, for traffic coming in on that interface (or its alias), while the same approach for destip should work for FORWARD or OUTPUT traffic going back out that interface. (note that -o eth0 would NOT be a valid test in FORWARD or OUTPUT, however, so you'd only be able to test destination IP) Something like: iptables -A FORWARD -i eth0 -s 10.0.0.0/16... iptables -A FORWARD -i eth0 -s 10.1.0.0/16... Solution #3: If however eth0 is a connection to the internet with multiple IP's, (or for some unfathomable reason you have two independant IP's on the same interface that are on the same subnet...) NEITHER of these approaches can work in FORWARD chain, but there's still a possibility, by catching them inbound in mangle PREROUTING and marking them based on destIP, which will still be the 'real' IPs prior to DNAT in nat PREROUTING (which is implicit in such packets being in the FORWARD chain) and then in FORWARD you can match marks and handle them separately based on that. iptables -t mangle -A PREROUTING -i eth0 -d a.b.c.d -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -i eth0 -d e.f.g.h -j MARK --set-mark 3 iptables -A FORWARD -m mark --mark 2... iptables -A FORWARD -m mark --mark 3... This presumes that you aren't using packet marking for anything else, like routing decisions or load balancing, but if you are then you can possibly dovetail the two uses. (or switch to marks for filtering, TOS for routing) This has the advantage of being a valid test in any chain and table, once the mark is in place. j
