This is a second repost, the first one appears to have disapeared. Joel Newkirk wrote:
On Friday 03 January 2003 02:28 pm, Steve M Bibayoff wrote:Is it possible to use iptables with a device alias (ex.. eth0:1)? I tries to add a filter rule and got an error: % iptables -t filter -I INPUT -i eth0:1 -j ACCEPT Warning: wierd character in interface `eth0:1' (No aliases, :, ! or *).
Solution #1:
Since this is the INPUT chain, then the local machine clearly is the destination. (unless you are using the REDIRECT target in nat PREROUTING) I suggest you try something like:
Unfornately, I am doing redirect nat. More specifiacally MASQ
Solution #2:
If eth0 is local, then I presume you have two different subnets connected to it, and want it to respond to both.
This won't work either. Both addrsses are on the same subnet, see below.
Solution #3:
... but there's still a possibility, by catching them inbound in mangle PREROUTING and marking them based on destIP, which will still be the 'real' IPs prior to DNAT in nat PREROUTING
I was hoping for an easier solutions then this, but it does look like this is what I'll have to do. I proably should have posted complete details(and searched(1) the archives as it seems this questions comes up every week). Here are more details and hopefully someone could come up with easier (at least for me) solution.
I'm am using an iptables script that was taken from:
http://heimdall.asgardsrealm.net/linux/firewall/
It is a fairly long and appears to be fairly complete script. I'm using it to mainly to do masquaring. The network looks something like this:
windows + other boxes 192.168.0.1|------|1.2.3.4/28
192.168.0.0/24 network---------eth1|RH 7.3|eth0---------Internet
|------|
I think the most relevant chain in the script is:
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE
The box has only 2 network connections(internal/external). What I need to do is produce another real ip (1.2.3.5) that could be directly nat'ed to an internal windows(192.168.0.2) machine without any filtering. So the new network looks like this:
|------|192.168.0.2 192.168.0.1|------|1.2.3.4/28
|winows|---------------------eth1|RH 7.3|eth0----------------
|------| / | |1.2.3.5/? /
/ |------|eth0:0-----/
rest of network-/
Hopefully this makes some sense. From searching the archive, I've found the following ideas:
ip addr add w.x.y.z/bits dev eth0 label eth00
http://lists.netfilter.org/pipermail/netfilter/2002-October/038968.html
This didn't work, kept getting errors after I tried to check the interface with 'ifconfig' and 'ip addr list'
I've also tried to just foward the address with this
iptables -A PREROUTING -a nat -d 1.2.3.5 -j DNAT --to 192.168.0.2
iptables -A FORWARD -d 192.168.0.2 -j ACCEPT
http://lists.netfilter.org/pipermail/netfilter/2002-September/038129.html
This appears to be working when I try go from the internal machine to the outside, but I can't connect from the outside to inside (tried nmap, got the RH 7.3 sig).
If someone knows the script I'm using and knows what hanging me up could you please point out my error, if not, I think I'll eventually get it.
TIA
Steve
1) Don't rememeber if was this list or not about search capacity, but I use advanced google (ie add "site:lists.netfilter.org" in the search field). hth.
