On Thu, 9 Jun 2005, Mike Pepe wrote:
Mike Pepe wrote:
Hi all. I'm new to the list but not to netfiler.
using -i eth5:1 doesn't work.
Is this even possible? I've been up and down the man page and I can't seem
to figure out a way to differentiate the alias from the "normal" ip. I
guess I could add another network card and duplicate the scripts but this
seems so wasteful to me.
As I understand it, -i refers to th physical interface, which is eth5, not
any of its aliases.
You haven't said how you are forwarding the traffic: is it simple forwarding
to the DMZ address (ie the client box knows it is talking to the DMZ
address) or are you doing DNAT?
Either way, it doesn't matter.
You can specify that the packet is allowed through based on both the
physical interface in (-i) and the destination ip address (-d)
so: If you are doing simple filtering/forwarding, you need to
make your rule based on -i eth5 -d $dmz_ip_addr -s $allowed_client_net
in the filter tables FORWARD chain.
If you are doing DNAT, then you would make a similar decision, but in the
PREROUTING chain of the nat table, and possibly add another rule in the
forwarding table to allow the packets to traverse your firewall.
HTH
--
Vivek
