* forwarding ports from aliased ip addresses
@ 2005-06-06 22:07 Mike Pepe
2005-06-07 9:56 ` Daniel Ivanov
2005-06-09 21:53 ` Mike Pepe
0 siblings, 2 replies; 4+ messages in thread
From: Mike Pepe @ 2005-06-06 22:07 UTC (permalink / raw)
To: netfilter
Hi all. I'm new to the list but not to netfiler.
I have a firewall built, with eth5 on the internet. It accepts
connections on a few ports from allowed hosts and forwards them to boxes
in the DMZ. It works great.
I have another client that wants a box configured similarly. I would
like to add another internet ip as eth5:1 and then forward certain ports
on that new IP to a different box in the DMZ.
using -i eth5:1 doesn't work.
Is this even possible? I've been up and down the man page and I can't
seem to figure out a way to differentiate the alias from the "normal"
ip. I guess I could add another network card and duplicate the scripts
but this seems so wasteful to me.
Hoping someone can help me with this!
thanks
-Mike
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: forwarding ports from aliased ip addresses
2005-06-06 22:07 forwarding ports from aliased ip addresses Mike Pepe
@ 2005-06-07 9:56 ` Daniel Ivanov
2005-06-09 21:53 ` Mike Pepe
1 sibling, 0 replies; 4+ messages in thread
From: Daniel Ivanov @ 2005-06-07 9:56 UTC (permalink / raw)
To: netfilter
Yes, just use -d ip_of_client insted.
iptables -A FORWARD -i eth5 -o ethX -d dedicated_ip_of_client -j FORWARD
Mike Pepe wrote:
> Hi all. I'm new to the list but not to netfiler.
>
> I have a firewall built, with eth5 on the internet. It accepts
> connections on a few ports from allowed hosts and forwards them to
> boxes in the DMZ. It works great.
>
> I have another client that wants a box configured similarly. I would
> like to add another internet ip as eth5:1 and then forward certain
> ports on that new IP to a different box in the DMZ.
>
> using -i eth5:1 doesn't work.
>
> Is this even possible? I've been up and down the man page and I can't
> seem to figure out a way to differentiate the alias from the "normal"
> ip. I guess I could add another network card and duplicate the scripts
> but this seems so wasteful to me.
>
> Hoping someone can help me with this!
>
> thanks
>
> -Mike
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: forwarding ports from aliased ip addresses
2005-06-06 22:07 forwarding ports from aliased ip addresses Mike Pepe
2005-06-07 9:56 ` Daniel Ivanov
@ 2005-06-09 21:53 ` Mike Pepe
2005-06-09 22:06 ` Vivek Dasmohapatra
1 sibling, 1 reply; 4+ messages in thread
From: Mike Pepe @ 2005-06-09 21:53 UTC (permalink / raw)
To: netfilter
So, nobody on the list knows if this is even possible?
I've been running all different sorts of combinations and I can't get it
to work.
Surely this is something not entirely out of the ordinary. I can't
imagine having to build another firewall box just to add another IP and
rules only for an alias.
Mike Pepe wrote:
> Hi all. I'm new to the list but not to netfiler.
>
> I have a firewall built, with eth5 on the internet. It accepts
> connections on a few ports from allowed hosts and forwards them to boxes
> in the DMZ. It works great.
>
> I have another client that wants a box configured similarly. I would
> like to add another internet ip as eth5:1 and then forward certain ports
> on that new IP to a different box in the DMZ.
>
> using -i eth5:1 doesn't work.
>
> Is this even possible? I've been up and down the man page and I can't
> seem to figure out a way to differentiate the alias from the "normal"
> ip. I guess I could add another network card and duplicate the scripts
> but this seems so wasteful to me.
>
> Hoping someone can help me with this!
>
> thanks
>
> -Mike
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: forwarding ports from aliased ip addresses
2005-06-09 21:53 ` Mike Pepe
@ 2005-06-09 22:06 ` Vivek Dasmohapatra
0 siblings, 0 replies; 4+ messages in thread
From: Vivek Dasmohapatra @ 2005-06-09 22:06 UTC (permalink / raw)
To: Mike Pepe; +Cc: netfilter
On Thu, 9 Jun 2005, Mike Pepe wrote:
> Mike Pepe wrote:
>> Hi all. I'm new to the list but not to netfiler.
>>
>> using -i eth5:1 doesn't work.
>>
>> Is this even possible? I've been up and down the man page and I can't seem
>> to figure out a way to differentiate the alias from the "normal" ip. I
>> guess I could add another network card and duplicate the scripts but this
>> seems so wasteful to me.
As I understand it, -i refers to th physical interface, which is eth5, not
any of its aliases.
You haven't said how you are forwarding the traffic: is it simple forwarding
to the DMZ address (ie the client box knows it is talking to the DMZ
address) or are you doing DNAT?
Either way, it doesn't matter.
You can specify that the packet is allowed through based on both the
physical interface in (-i) and the destination ip address (-d)
so: If you are doing simple filtering/forwarding, you need to
make your rule based on -i eth5 -d $dmz_ip_addr -s $allowed_client_net
in the filter tables FORWARD chain.
If you are doing DNAT, then you would make a similar decision, but in the
PREROUTING chain of the nat table, and possibly add another rule in the
forwarding table to allow the packets to traverse your firewall.
HTH
--
Vivek
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-06-09 22:06 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-06-06 22:07 forwarding ports from aliased ip addresses Mike Pepe
2005-06-07 9:56 ` Daniel Ivanov
2005-06-09 21:53 ` Mike Pepe
2005-06-09 22:06 ` Vivek Dasmohapatra
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.