Hello, John Engelke a écrit : > Hello IPFilter Guru World, This list is about Netfilter, not IPFilter. > I've encountered some strangeness in filtering on a multihomed Linux > box, CentOS 5, x86_64, 2.6.18-164.15.1.el5, where using the interface > flag (-i) does not work. > > So this box has two interfaces on the local subnet, eth0 and eth1. Are both interfaces connected to the same subnet ? If so, I don't call this "multihomed". > I > would like to restrict VNC to only one of the interfaces, eth1. At the > start, VNC does not work. So I add this: > > -A INPUT -i eth1 -p tcp -m multiport --port 5900 -j ACCEPT > > Then, VNC starts working on eth0 AND eth1. Are you sure ? How do you know ? > Since I know the address of eth1, I then put it in explicitly as: > > -A INPUT -i eth1 -p tcp -d 192.168.1.34 -m multiport --port 5900 -j ACCEPT > > Amazingly, this works and now VNC traffic is only allowed on eth1 > (address 192.168.1.34). So I believe I am concluding correctly that > interface filtering *does not work* for INPUT statements in multihomed > machines. I also wonder if it does not work at all for any interface. It works for lots of people - including myself - who run multihomed boxes such as routers. If both interfaces are connected to the same subnet, by default your box accepts packets destined to any local non-loopback address on any interface, including packets destined to the address assigned to eth1 on eth0 and vice versa. This is because Linux enforces the "weak" host model. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
