Andreas wrote:
> Hi,
> I've got a firewall with 3 interfaces on, one internal
nic, one external
> and one for the dmz.
>
> Today we only have one ip address, which is a fully
routable address on
> the external nic. But we're expanding and getting a
whole c-class net. I
> know that I can use ip aliases to replicate the
external nic with more
> addresses, like this:
> eth0:1
> eth0:2
> etc
>
> But I've read somewhere that Iptables does not work
with ip aliases. How
> do I make my firewall have say 5 ip addresses on the
external nic, with
> iptables working? Is it possible?
It's possible and it works, but there is one notable
limitation; the
"virtual" interfaces have the same MAC address as
the "real" interface.
So if you plan on doing granular layer-2 (MAC address)
filtering, you
may have problems.
Other than that, there's nothing particularly difficult
about your plans;
1. get class-C network
2. Add virtual interfaces to ethX:Y
3. Create iptables rules for different IP's as you would
normally
FWIW, I've never tried doing "interface" rules
using virtual interfaces, ie,
iptables -A INPUT -i ethX:Y ....
So I have no idea if that would work, but considering the
MAC
limitation, and the fact the virtual interface only has a
single IP, I
really can't see much point in the idea ;).
The other thing I haven't tried is creating a rule to match
all traffic
on the real interface AND all the virtual interfaces in one
rule (ie,
ethX and all ethX:Y). I guess, you could simply match on
MAC address in
the destination of the INPUT/OUTPUT/FORWARD chain, but once
again, I
think there are better ways to achieve this.
Cheers,
James
--
ubuntu-users mailing list
ubuntu-users lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
|
