Using an device alias?

Using an device alias?

[Steve M Bibayoff]

Is it possible to use iptables with a device alias
(ex.. eth0:1)? I tries to add a filter rule and got
an error:
% iptables -t filter -I INPUT -i eth0:1 -j ACCEPT
Warning: wierd character in interface `eth0:1' (No
aliases, :, ! or *).

If i list the rules, it's listed, but it doesn't
appear to be working. I was wondering if someone had
a definite answer.

TIA

Steve

Using an device alias?

[Steve M Bibayoff]

Sorry if everyone gets this twice, this one is a
second posting when I realized this was a closed list.

Original question:
Is it possible to use iptables with a device alias
(ex.. eth0:1)? I tries to add a filter rule and got
an error:
% iptables -t filter -I INPUT -i eth0:1 -j ACCEPT
Warning: wierd character in interface `eth0:1' (No
aliases, :, ! or *).

If i list the rules, it's listed, but it doesn't
appear to be working. I was wondering if someone had
a definite answer.

TIA

Steve

Re: Using an device alias?

[Joel Newkirk]

On Friday 03 January 2003 02:28 pm, Steve M Bibayoff wrote:
> Is it possible to use iptables with a device alias
> (ex.. eth0:1)? I tries to add a filter rule and got
> an error:
> % iptables -t filter -I INPUT -i eth0:1 -j ACCEPT
> Warning: wierd character in interface `eth0:1' (No
> aliases, :, ! or *).

Well, the warning says it pretty clearly, it seems.  However, I have an 
idea on this.  Actually three, presented in order from simplest to most 
complicated.

Solution #1:
Since this is the INPUT chain, then the local machine clearly is the 
destination.  (unless you are using the REDIRECT target in nat 
PREROUTING)  I suggest you try something like:

iptables -A INPUT -i eth0 -d a.b.c.d...
iptables -A INPUT -i eth0 -d e.f.g.h...

This should catch the two aliased IP's independantly.  

Now if this were FORWARD chain traffic, this test wouldn't work, since 
the destination IP can in principle be anything at all, but by 
definition will NOT be an IP of the local box.  Even if it originally 
WAS addressed to this box, to appear in FORWARD it would have to be 
DNATted, and would then have the new IP.

Solution #2:
If eth0 is local, then I presume you have two different subnets connected 
to it, and want it to respond to both.  If this is the case, then you 
could test for which subnet the source IP is in rather than which destip 
is used.  Testing the source ip range would work in both INPUT and 
FORWARD chains, for traffic coming in on that interface (or its alias), 
while the same approach for destip should work for FORWARD or OUTPUT 
traffic going back out that interface. (note that -o eth0 would NOT be a 
valid test in FORWARD or OUTPUT, however, so you'd only be able to test 
destination IP)  Something like:

iptables -A FORWARD -i eth0 -s 10.0.0.0/16...
iptables -A FORWARD -i eth0 -s 10.1.0.0/16...

Solution #3:
If however eth0 is a connection to the internet with multiple IP's, (or 
for some unfathomable reason you have two independant IP's on the same 
interface that are on the same subnet...) NEITHER of these approaches 
can work in FORWARD chain, but there's still a possibility, by catching 
them inbound in mangle PREROUTING and marking them based on destIP, 
which will still be the 'real' IPs prior to DNAT in nat PREROUTING 
(which is implicit in such packets being in the FORWARD chain) and then 
in FORWARD you can match marks and handle them separately based on that.

iptables -t mangle -A PREROUTING -i eth0 -d a.b.c.d -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i eth0 -d e.f.g.h -j MARK --set-mark 3
iptables -A FORWARD -m mark --mark 2...
iptables -A FORWARD -m mark --mark 3...

This presumes that you aren't using packet marking for anything else, 
like routing decisions or load balancing, but if you are then you can 
possibly dovetail the two uses. (or switch to marks for filtering, TOS 
for routing)  This has the advantage of being a valid test in any chain 
and table, once the mark is in place.

j

Re: Using an device alias?

[Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 1660 bytes --]

Hi

It doesn't make sense to attach rules to alias interfaces, since the
packets are coming in the same physical interface whether it is eth0:1
or eth0.

So if you use just eth0 your rules should work as expected as long as
you qualify them further with the correct (alias)ip.

Ray

On Fri, 2003-01-03 at 21:28, Steve M Bibayoff wrote:
> Sorry if everyone gets this twice, this one is a
> second posting when I realized this was a closed list.
> 
> Original question:
> Is it possible to use iptables with a device alias
> (ex.. eth0:1)? I tries to add a filter rule and got
> an error:
> % iptables -t filter -I INPUT -i eth0:1 -j ACCEPT
> Warning: wierd character in interface `eth0:1' (No
> aliases, :, ! or *).
> 
> If i list the rules, it's listed, but it doesn't
> appear to be working. I was wondering if someone had
> a definite answer.
> 
> TIA
> 
> Steve
> 
-- 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(  Raymond Leach                       )
 ) Knowledge Factory                  (
(                                      )
 ) Tel: +27 11 445 8100               (
(  Fax: +27 11 445 8101                )
 )                                    (
(  http://www.knowledgefactory.co.za/  )
 ) http://www.saptg.co.za/            (
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   o                                o
    o                              o
        .--.                  .--.
       | o_o|                |o_o |
       | \_:|                |:_/ |
      / /   \\              //   \ \
     ( |     |)            (|     | )
     /`\_   _/'\          /'\_   _/`\
     \___)=(___/          \___)=(___/

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Using an device alias?

[Steve]

This is a second repost, the first one appears to have disapeared.

Joel Newkirk wrote:

> On Friday 03 January 2003 02:28 pm, Steve M Bibayoff wrote:
>
>> Is it possible to use iptables with a device alias
>> (ex.. eth0:1)? I tries to add a filter rule and got
>> an error:
>> % iptables -t filter -I INPUT -i eth0:1 -j ACCEPT
>> Warning: wierd character in interface `eth0:1' (No
>> aliases, :, ! or *).

> Solution #1:
> Since this is the INPUT chain, then the local machine clearly is the 
> destination.  (unless you are using the REDIRECT target in nat 
> PREROUTING)  I suggest you try something like:

Unfornately, I am doing redirect nat. More specifiacally MASQ

> Solution #2:
> If eth0 is local, then I presume you have two different subnets 
> connected to it, and want it to respond to both.

This won't work either. Both addrsses are on the same subnet, see below.

> Solution #3:
> ... but there's still a possibility, by catching them inbound in 
> mangle PREROUTING and marking them based on destIP, which will still 
> be the 'real' IPs prior to DNAT in nat PREROUTING 


I was hoping for an easier solutions then this, but it does look like 
this is what I'll have to do. I proably should have posted complete 
details(and searched(1) the archives as it seems this questions comes up 
every week). Here are more details and hopefully someone could come up 
with easier (at least for me) solution.



I'm am using an iptables script that was taken from:
http://heimdall.asgardsrealm.net/linux/firewall/
It is a fairly long and appears to be fairly complete script. I'm using 
it to mainly to do masquaring. The network looks something like this:

windows + other boxes   192.168.0.1|------|1.2.3.4/28
192.168.0.0/24 network---------eth1|RH 7.3|eth0---------Internet
                                   |------|

I think the most relevant chain in the script is:
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE

The box has only 2 network connections(internal/external). What I need 
to do is produce another real ip (1.2.3.5) that could be directly nat'ed 
to an internal windows(192.168.0.2) machine without any filtering. So 
the new network looks like this:
|------|192.168.0.2   192.168.0.1|------|1.2.3.4/28
|winows|---------------------eth1|RH 7.3|eth0----------------
|------|          /              |      |1.2.3.5/?   /
                 /               |------|eth0:0-----/
rest of network-/

Hopefully this makes some sense. From searching the archive, I've found 
the following ideas:
ip addr add w.x.y.z/bits dev eth0 label eth00
http://lists.netfilter.org/pipermail/netfilter/2002-October/038968.html
This didn't work, kept getting errors after I tried to check the 
interface with 'ifconfig' and 'ip addr list'

I've also tried to just foward the address with this
iptables -A PREROUTING -a nat -d 1.2.3.5 -j DNAT --to 192.168.0.2
iptables -A FORWARD -d 192.168.0.2 -j ACCEPT
http://lists.netfilter.org/pipermail/netfilter/2002-September/038129.html
This appears to be working when I try go from the internal machine to 
the outside, but I can't connect from the outside to inside (tried nmap, 
got the RH 7.3 sig).

If someone knows the script I'm using and knows what hanging me up could 
you please point out my error, if not, I think I'll eventually get it.

TIA

Steve

1) Don't rememeber if was this list or not about search capacity, but I 
use advanced google (ie add "site:lists.netfilter.org" in the search 
field). hth.

Re: Using an device alias?

[Joel Newkirk]

On Monday 06 January 2003 02:56 pm, Steve wrote:
> This is a second repost, the first one appears to have disapeared.
>
> Joel Newkirk wrote:
> > On Friday 03 January 2003 02:28 pm, Steve M Bibayoff wrote:
> >> Is it possible to use iptables with a device alias
> >> (ex.. eth0:1)? I tries to add a filter rule and got
> >> an error:
> >> % iptables -t filter -I INPUT -i eth0:1 -j ACCEPT
> >> Warning: wierd character in interface `eth0:1' (No
> >> aliases, :, ! or *).
> >
> > Solution #1:
> > Since this is the INPUT chain, then the local machine clearly is the
> > destination.  (unless you are using the REDIRECT target in nat
> > PREROUTING)  I suggest you try something like:
>
> Unfornately, I am doing redirect nat. More specifiacally MASQ

Within iptables semantics, REDIRECT is a specific form of NAT wherein you 
are taking an incoming connection that would otherwise forward (IE, not 
addressed to the local box) and DNATting it to the local box, so that it 
comes in INPUT instead of forwarding to somewhere else.  (for example, 
running a transparent proxy server on the firewall box)  If all you are 
doing is MASQUERADE then you are NOT doing REDIRECT.  Also, if your 
public IP is static you should use "-j SNAT --to 1.2.3.4" instead of "-j 
MASQUERADE", to avoid the overhead of netfilter constantly polling the 
external interface to adapt to IP changes.  This is another semantics 
issue sometimes, where many people say 'masquerade' to mean hiding 
several machines behind a single (or possibly more :^) public IP, but 
the iptables target 'MASQUERADE' is a specific form of SNAT where 
instead of specifying the source IP to use when NATting the packets, you 
tell netfilter to use whatever the current IP of the interface is.

For emails I write, when these terms are capitalized I mean the actual 
targets (or chains, like FORWARD and OUTPUT) used in iptables rules, 
since the targets are all caps when used in rules.  I usually try to 
avoid using 'masquerade' and 'redirect' in their more general meaning if 
there's any chance of confusion.

{snip}

> The box has only 2 network connections(internal/external). What I need
> to do is produce another real ip (1.2.3.5) that could be directly
> nat'ed to an internal windows(192.168.0.2) machine without any
> filtering. So
>
> the new network looks like this:
> |------|192.168.0.2   192.168.0.1|------|1.2.3.4/28
> |winows|---------------------eth1|RH 7.3|eth0----------------
> |------|          /              |      |1.2.3.5/?   /
>
>                  /               |------|eth0:0-----/
> rest of network-/

You have two public IP's and want the machine to respond to both, but 
forward connection coming in on one of them to a separate server in the 
local network, right?  If so, then set up your alias on the interface 
(eth0:0) with:

ifconfig add eth0 1.2.3.5

and then add the following rule:

iptables -t nat -A PREROUTING -i eth0 -d 1.2.3.5 -j DNAT --to 192.168.0.2

and everything should work happily.  Just make sure that any other 
PREROUTING rules either appear after this one, or are written so as not 
to interfere with this specific traffic.  Also, make sure that you allow 
this and replies through FORWARD, but netfilter will handle undoing the 
DNAT when the packets come back through.  Read through the section on 
DNAT in Oskar Andreasson's iptables tutorial at: 
http://iptables-tutorial.frozentux.net/chunkyhtml/targets.html#DNATTARGET 
and you'll probably find that everything falls into place. 

The key to this in your circumstance is specifying the destination IP (in 
PREROUTING - in FORWARD you would test for "-d 192.168.0.2") as well as 
the arriving interface, to separate this traffic from everything else 
coming in that same physical interface.  Also note that once you perform 
the DNAT in PREROUTING then the destination IP will be that of the 
internal machine when the packet hits any other chains in the firewall, 
and reply traffic will have source IP of the internal machine up until 
it reaches POSTROUTING, just before leaving the firewall and returning 
back out eth0.

> Hopefully this makes some sense. From searching the archive, I've
> found the following ideas:
> ip addr add w.x.y.z/bits dev eth0 label eth00
> http://lists.netfilter.org/pipermail/netfilter/2002-October/038968.htm
>l This didn't work, kept getting errors after I tried to check the
> interface with 'ifconfig' and 'ip addr list'
>
> I've also tried to just foward the address with this
> iptables -A PREROUTING -a nat -d 1.2.3.5 -j DNAT --to 192.168.0.2
> iptables -A FORWARD -d 192.168.0.2 -j ACCEPT
> http://lists.netfilter.org/pipermail/netfilter/2002-September/038129.h
>tml This appears to be working when I try go from the internal machine
> to the outside, but I can't connect from the outside to inside (tried
> nmap, got the RH 7.3 sig).

Are you allowing return traffic back out through the FORWARD chain?  The 
DNAT you have above should have no effect at all on connections from 
internal to outside, unless the destination is 1.2.3.5.  (and those 
would fail for a different reason... see link above for more)  The only 
things that should affect connections from internal to outside should be 
FORWARD chain rules to let them through, and SNAT or MASQUERADE in nat 
POSTROUTING chain to hide their actual source behind the public IP.  
(unless you have some other DNAT or REDIRECT rule that affects them, and 
the DNAT we're discussing normally would not)

j

> If someone knows the script I'm using and knows what hanging me up
> could you please point out my error, if not, I think I'll eventually
> get it.
>
> TIA
>
> Steve
>
> 1) Don't rememeber if was this list or not about search capacity, but
> I use advanced google (ie add "site:lists.netfilter.org" in the search
> field). hth.

Re: Using an device alias?

[WA Support]

Steve,

The virtual interface is dealt with in the kernel, iptables doesn't care
about it, iptables just knows about the IP.

I have many virtual interfaces in rc.local, each associated with a
specific IP address.  All iptables cares about is the IP address.

What I have is this (I use a sript as opposed to
/etc/sysconfig/ipchains).

(snip)

LAN_IP="192.168.1.5"
LAN_IP_RANGE="192.168.1.0/24"
LAN_BCAST_ADRESS="192.168.1.255"
LAN_IFACE="eth0"

...

#########################################################################################
#
# Rules for INPUT chain for virtual interfaces
#

$IPTABLES -A INPUT -p ALL -i $INET_IFACE -s $LAN_IP_RANGE -d
$LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP_RANGE -d $LAN_IP_RANGE
-j ACCEPT


#
# Rules for OUTPUT chain for virtual interfaces
#

$IPTABLES -A OUTPUT -p ALL -s $LAN_IP_RANGE -j ACCEPT

#
#########################################################################################

# 
# Rules for special networks not part of the Internet
#
...

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT

...

(snip)

Hope this is what you were after, it works fine for me!

Murrah Boswell


Steve M Bibayoff wrote:
> 
> Sorry if everyone gets this twice, this one is a
> second posting when I realized this was a closed list.
> 
> Original question:
> Is it possible to use iptables with a device alias
> (ex.. eth0:1)? I tries to add a filter rule and got
> an error:
> % iptables -t filter -I INPUT -i eth0:1 -j ACCEPT
> Warning: wierd character in interface `eth0:1' (No
> aliases, :, ! or *).
> 
> If i list the rules, it's listed, but it doesn't
> appear to be working. I was wondering if someone had
> a definite answer.
> 
> TIA
> 
> Steve