Short answer: NO
Better answer: iptables cannot use subinterfaces. What you can do is, instead of using the subinterface as your criteria, use your IP addresses. So, in your situation, you can do:
iptables -A INPUT -i eth0 -p icmp -d 192.168.1.1 -j DROP iptables -A INPUT -i eth0 -p icmp -d 192.168.2.1 -j ACCEPT
If you REALLY need to difference subinterfaces, then you should try to split subinterfaces in two real interfaces.
Sincerily, Leonardo Rodrigues
----- Original Message ----- From: "Chris Verges" <squirrel@xxxxxxxxxxx>
To: <netfilter@xxxxxxxxxxxxxxxxxxx>
Sent: Friday, October 15, 2004 12:55 AM
Subject: firewall rules for subinterfaces
Hey,
Is there a way to add firewall rules for subinterfaces? I'm trying to do the equivalent of:
eth0 Intel Pro 10/100 eth0:0 192.168.1.1 eth0:1 192.168.2.1
iptables -A INPUT -p icmp -i eth0:0 -j DENY iptables -A INPUT -p icmp -i eth0:1 -j ACCEPT
When I try to do this at the command line, iptables spits back an error about how colons (:) are not allowed in the interface name. That brings up the interesting question of how to do this whole thing ...
Any advice or insight is greatly appreciated!
Thanks,
chris -- http://headnut.org squirrel@xxxxxxxxxxx
