Re: Using an device alias?

[Joel Newkirk <netfilter@newkirk.us>]

On Friday 03 January 2003 02:28 pm, Steve M Bibayoff wrote:
> Is it possible to use iptables with a device alias
> (ex.. eth0:1)? I tries to add a filter rule and got
> an error:
> % iptables -t filter -I INPUT -i eth0:1 -j ACCEPT
> Warning: wierd character in interface `eth0:1' (No
> aliases, :, ! or *).

Well, the warning says it pretty clearly, it seems.  However, I have an 
idea on this.  Actually three, presented in order from simplest to most 
complicated.

Solution #1:
Since this is the INPUT chain, then the local machine clearly is the 
destination.  (unless you are using the REDIRECT target in nat 
PREROUTING)  I suggest you try something like:

iptables -A INPUT -i eth0 -d a.b.c.d...
iptables -A INPUT -i eth0 -d e.f.g.h...

This should catch the two aliased IP's independantly.  

Now if this were FORWARD chain traffic, this test wouldn't work, since 
the destination IP can in principle be anything at all, but by 
definition will NOT be an IP of the local box.  Even if it originally 
WAS addressed to this box, to appear in FORWARD it would have to be 
DNATted, and would then have the new IP.

Solution #2:
If eth0 is local, then I presume you have two different subnets connected 
to it, and want it to respond to both.  If this is the case, then you 
could test for which subnet the source IP is in rather than which destip 
is used.  Testing the source ip range would work in both INPUT and 
FORWARD chains, for traffic coming in on that interface (or its alias), 
while the same approach for destip should work for FORWARD or OUTPUT 
traffic going back out that interface. (note that -o eth0 would NOT be a 
valid test in FORWARD or OUTPUT, however, so you'd only be able to test 
destination IP)  Something like:

iptables -A FORWARD -i eth0 -s 10.0.0.0/16...
iptables -A FORWARD -i eth0 -s 10.1.0.0/16...

Solution #3:
If however eth0 is a connection to the internet with multiple IP's, (or 
for some unfathomable reason you have two independant IP's on the same 
interface that are on the same subnet...) NEITHER of these approaches 
can work in FORWARD chain, but there's still a possibility, by catching 
them inbound in mangle PREROUTING and marking them based on destIP, 
which will still be the 'real' IPs prior to DNAT in nat PREROUTING 
(which is implicit in such packets being in the FORWARD chain) and then 
in FORWARD you can match marks and handle them separately based on that.

iptables -t mangle -A PREROUTING -i eth0 -d a.b.c.d -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i eth0 -d e.f.g.h -j MARK --set-mark 3
iptables -A FORWARD -m mark --mark 2...
iptables -A FORWARD -m mark --mark 3...

This presumes that you aren't using packet marking for anything else, 
like routing decisions or load balancing, but if you are then you can 
possibly dovetail the two uses. (or switch to marks for filtering, TOS 
for routing)  This has the advantage of being a valid test in any chain 
and table, once the mark is in place.

j