From: George Alexandru Dragoi <waruiinu@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Re: again problem with alias / virtual interface
Date: Mon, 19 Jul 2004 22:10:45 +0300 [thread overview]
Message-ID: <3063e504071912106718d992@mail.gmail.com> (raw)
In-Reply-To: <d3caf706513e42bc4d4a4a08209f5cd9@62.98.80.108>
Where are the RELATED,ESTABLISHED state packets ?
Also, define "does not work"
look here:
alex@server:~$ telnet 82.186.92.91 22
Trying 82.186.92.91...
Connected to 82.186.92.91.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.5p1
same for .93
Are you sure the services you want to connect to bind on those ips, or 0.0.0.0 ?
Check this with netstat -tln |grep <desired port>
Best regards
On Mon, 19 Jul 2004 20:55:00 +0200, Batstru <batstru@email.it> wrote:
> Hi all!
> I wrote days ago: I have a problem with virutal interface and iptables:
> my pc has 2 network interface, one with a private network address and the
> other one with
> public network addresses:
> eth0 --> 192.168.1.254 / 255.255.255.0
> eth1 --> 82.186.92.90 / 255.255.255.248
> eth1:1 --> 82.186.92.91 / 255.255.255.248
> eth1:2 --> 82.186.92.92 / 255.255.255.248
> eth1:3 --> 82.186.92.93 / 255.255.255.248
> eth1:4 --> 82.186.92.93 / 255.255.255.248
> I have configured network with ifconfig and route
> iptables has this filter rules:
> *filter
> :FORWARD DROP [0:0]
> :INPUT DROP [0:0]
> :OUTPUT DROP [0:0]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state -i eth0 --state NEW -j ACCEPT
> -A INPUT -s 192.168.1.0 -i eth0 -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.90 --dport 22 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.90 --dport 80 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.90 --dport 143 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.90 --dport 10000
> --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.90 --dport 25 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.90 --dport 110 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.91 --dport 20 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.91 --dport 21 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.91 --dport 22 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1:1 -d 82.186.92.91 --dport 25 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.91 --dport 53 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.91 --dport 80 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.91 --dport 110 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.91 --dport 143 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.91 --dport 443 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.93 --dport 20 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.93 --dport 21 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.93 --dport 22 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.93 --dport 25 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.93 --dport 80 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.93 --dport 110 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.93 --dport 143 --state
> NEW -j ACCEPT
> -A INPUT -p tcp -m tcp -m state -i eth1 -d 82.186.92.93 --dport 8888 --state
> NEW -j ACCEPT
> as you can see I've tried changing configuration but anything changes: it is
> reported just a
> warning but the rule is not applied.
> -A INPUT -p tcp -m tcp -m state -i eth1:1 -d 82.186.92.91 --dport 25 --state
> NEW -j ACCEPT
> My pc is running Fedora core 2 and the kernel is 2.6.6 and I've just
> upgraded iptables to last
> release.
>
> The problem is that I can't access to services running at virtual
> interfaces.
> I tried to solve the problem as suggested me: I've seen that using alias is
> deprecated so I
> tried using iproute: I set up with
> ip addr add 82.186.92.90/24 brd 82.186.92.95 dev eth1 label eth1:0
> ip addr add 82.186.92.91/24 brd 82.186.92.95 dev eth1 label eth1:1
> ip addr add 82.186.92.92/24 brd 82.186.92.95 dev eth1 label eth1:2
> ip addr add 82.186.92.93/24 brd 82.186.92.95 dev eth1 label eth1:3
> ip addr add 82.186.92.94/24 brd 82.186.92.95 dev eth1 label eth1:4
> but after service iptables restart anything changes, alias's rules doesn't
> be applied and no
> errors is reported.
> I think I'm doing something wrong with iproute but I don't know what: shoud
> I give any command
> to enable iproute?
>
> My problem is quite strange, I've never seen such....
>
> tnks
> marco
> --
> Email.it, the professional e-mail, gratis per te: http://www.email.it/f
>
> Sponsor:
> Conto Arancio. Zero spese, stessa banca, più interessi.
> Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=657&d=20040719
>
>
next prev parent reply other threads:[~2004-07-19 19:10 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-07-19 18:55 again problem with alias / virtual interface Batstru
2004-07-19 19:10 ` George Alexandru Dragoi [this message]
2004-07-19 16:17 ` Marco Strullato
2004-07-19 19:14 ` Antony Stone
2004-07-19 19:35 ` Aleksandar Milivojevic
2004-07-19 16:30 ` Marco Strullato
2004-07-20 19:09 ` Antony Stone
2004-07-20 19:12 ` Aleksandar Milivojevic
2004-07-20 19:22 ` Aleksandar Milivojevic
2004-07-21 15:34 ` Marco Colombo
2004-07-21 16:48 ` Michael Sconzo
2004-07-21 17:13 ` Aleksandar Milivojevic
2004-07-22 2:27 ` Michael Sconzo
2004-07-22 16:58 ` Aleksandar Milivojevic
2004-07-22 8:53 ` Marco Colombo
2004-07-22 16:05 ` Michael Sconzo
2004-07-19 19:46 ` Jamie Pratt
2004-07-19 19:58 ` Antony Stone
-- strict thread matches above, loose matches on Subject: below --
2004-07-21 10:31 Batstru
2004-07-21 17:09 ` Aleksandar Milivojevic
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3063e504071912106718d992@mail.gmail.com \
--to=waruiinu@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.