Virtual interfaces

Virtual interfaces

[Dott. Francesco Chicchiriccò]

[-- Attachment #1: Type: text/plain, Size: 1183 bytes --]

Hi,
after spending some time with iptables and linux virtual interfaces, I've 
decided to ask.

I have a Linux BOX acting as a router among different LANs. I'm doing some 
filtering (only ssh traffic coming from a certain MAC addrress can go from 
one LAN to another, an so on): 

iptables -t filter -P FORWARD DROP
iptables -A FORWARD -i eth0 -s 192.168.0.0/24 -p TCP -m mac --mac-source 
$whiskey_MAC -d 192.168.10.0/24 --dport 22 -j ACCEPT

With physical interfaces only, all works well. When a try to filter traffic 
between 2 LANs attached to the same physical interface but with 2 different 
virtual IPs, it starts messing. Nothing works, I can't even log packets.

Is that a known bug? Am I just misunderstanding?
Please help.
-- 
##################################################################

"Computer Science is no more about computers than astronomy 
is about telescopes." (E. W. Dijkstra)

Dott. Francesco Chicchiriccò
Amministratore unico
Tel 3290573276

ePOSSE S.r.l.
Sede operativa: Via dei Marrucini, 11 65127 Pescara
Tel / FAX 0854503336
http://www.eposse.it

##################################################################

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Virtual interfaces

[Askar Ali Khan]

Hi Dott

On Mon, 5 Jul 2004 16:42:11 +0200, Dott. Francesco Chicchiriccò
<francesco.chicchiricco@eposse.it> wrote:
> Hi,
> after spending some time with iptables and linux virtual interfaces, I've
> decided to ask.
> 
> I have a Linux BOX acting as a router among different LANs. I'm doing some
> filtering (only ssh traffic coming from a certain MAC addrress can go from
> one LAN to another, an so on):
> 
> iptables -t filter -P FORWARD DROP
> iptables -A FORWARD -i eth0 -s 192.168.0.0/24 -p TCP -m mac --mac-source
> $whiskey_MAC -d 192.168.10.0/24 --dport 22 -j ACCEPT
> 
> With physical interfaces only, all works well. When a try to filter traffic
> between 2 LANs attached to the same physical interface but with 2 different
> virtual IPs, it starts messing. Nothing works, I can't even log packets.

Netfilter doesn't allow things like eth0:1 (it won't accept the
colon), so all you do is use the normal interface name (eth0).   

Regards
Askar
> 
> Is that a known bug? Am I just misunderstanding?
> Please help.
> --
> ##################################################################
> 
> "Computer Science is no more about computers than astronomy
> is about telescopes." (E. W. Dijkstra)
> 
> Dott. Francesco Chicchiriccò
> Amministratore unico
> Tel 3290573276
> 
> ePOSSE S.r.l.
> Sede operativa: Via dei Marrucini, 11 65127 Pescara
> Tel / FAX 0854503336
> http://www.eposse.it
> 
> ##################################################################
> 
> 
>

Re: Virtual interfaces

[Aleksandar Milivojevic]

Dott. Francesco Chicchiriccò wrote:
> With physical interfaces only, all works well. When a try to filter traffic 
> between 2 LANs attached to the same physical interface but with 2 different 
> virtual IPs, it starts messing. Nothing works, I can't even log packets.

Netfilter does not know about virtual interfaces.  Use physical 
interface names in combination with source and/or destination addresses 
(for example "-i eth0 -s 192.168.0.0/24").

 From security side, you are not gaining anything by filtering between 
two virutal interfaces on the same wire -- stations on those two 
networks can talk to each other directly anyhow.  If you haven't 
disabled ICMP redirects, you'll see that Linux kernel is sending out 
ICMP redirects telling 192.168.0.1 that 192.168.1.1 is on the same wire 
and to talk to it directly.

Re: virtual interfaces

[ip tables]

Hey Askar,

Thanks for your reply. What i wanted to do  was to
have 2 web servers having private IPs( Ex:
192.168.128.5 and 192.168.128.6 on the 255.255.255.0
subnet). The hub connecting these machines would be
connected to my Linux firewall machine. In other words
the private IPs are the ones that make my DMZ, I shall
call this interface which is connected to the DMZ as
eth1. 
What i want to do is redirect all requests to
64.24.12.45 to 192.168.128.5 and 64.24.12.46 to
192.168.128.6 at the moment i have no problem in doing
the natting and everything related to send/receive
from the 64.24.12.45. 
What i thought was to have a virtual interface and
bind the other internet routable address to it, ex
eth0:0. What are my options?
Also how could i do the POSTROUTING SNAT if I cannot
use virtual in terfaces?

Pls help ASAP.

Pretty tight siu here.

TIA

--- Askar Ali Khan <askarali@gmail.com> wrote:
> Hi TIA
> 
> Nope no virtual interfaces support in netfilter
> rules :), here what is
> the reply from Antony Stone to me when i got the
> same problem :)
> 
> "Secondly, netfilter doesn't allow things like
> eth0:1 (it won't accept the
> colon), so all you do is use the normal interface
> name (eth0).   It's the
> asme physical interface anyway, and this will do
> what you want - you can use
> -i eth0 and -o eth0 to match packets coming in or
> going out on eth0:1"
> 
> Regards
> Askar
> 
> On Sun, 4 Jul 2004 21:54:18 -0700 (PDT), ip tables
> <iptables_help@yahoo.com> wrote:
> > Hi gurus,
> > 
> > Does iptables support rules written with virtual
> > interfaces such as eth0:0 for all input,output and
> > forward chains?. Pls help urgent requirement!!
> > 
> > TIA
> > 
> > 
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Mail is new and improved - Check it out!
> > http://promotions.yahoo.com/new_mail
> > 
> >
> 



		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail 

Re: virtual interfaces

[Ming-Ching Tiew]

> What i thought was to have a virtual interface and
> bind the other internet routable address to it, ex
> eth0:0. What are my options?
> Also how could i do the POSTROUTING SNAT if I cannot
> use virtual in terfaces?
> 

You can use the Source IP or Destination IP, can't you ?

....-i eth0 -A POSTROUTING -s 192.168.128.6 -j SNAT --to 64.24.12.46 
....-i eth0 -A POSTROUTING -s 192.168.128.5 -j SNAT --to 64.24.12.45 

....-i eth1 -A PREROUTING -d 64.24.12.46 -j DNAT --to 192.168.128.6
....-i eth1 -A PREROUTING -d 64.24.12.45 -j DNAT --to 192.168.128.5

virtual interfaces

[ip tables]

Hi gurus,

Does iptables support rules written with virtual
interfaces such as eth0:0 for all input,output and
forward chains?. Pls help urgent requirement!!

TIA


		
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail