iptables and device aliases

All of lore.kernel.org
 help / color / mirror / Atom feed

* iptables and device aliases
@ 2004-08-18 13:18 Dave Warchol
  0 siblings, 0 replies; 5+ messages in thread
From: Dave Warchol @ 2004-08-18 13:18 UTC (permalink / raw)
  To: netfilter

Hello:
         I am new to the list.  I am currently using iptables to
redirect traffic on eth0 for ports 80 and 443,  to ports 8080 and 8443,
respectively.  I have request to set up another DNS name for this server
and to redirect entries coming to port 443 for this new DNS name to port
8444.  I think that one way of doing this would be to define a device
alias, say eth0:1, assign it a new IP address and associate the new DNS
name with that new IP.  I could then use iptables to redirect traffic on
eth0:1, port 443 to port 8444.  I was just wondering if iptables
recognizes/supports device aliases or if there is a better way of
accomplishing the same thing.

Thanks very much,
Dave


^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: iptables and device aliases
@ 2004-08-18 13:25 Jason Opperisano
  0 siblings, 0 replies; 5+ messages in thread
From: Jason Opperisano @ 2004-08-18 13:25 UTC (permalink / raw)
  To: netfilter

> Hello:
>          I am new to the list.  I am currently using iptables to
> redirect traffic on eth0 for ports 80 and 443,  to ports 8080 and 8443,
> respectively.  I have request to set up another DNS name for this server
> and to redirect entries coming to port 443 for this new DNS name to port
> 8444.  I think that one way of doing this would be to define a device
> alias, say eth0:1, assign it a new IP address and associate the new DNS
> name with that new IP.  I could then use iptables to redirect traffic on
> eth0:1, port 443 to port 8444.  I was just wondering if iptables
> recognizes/supports device aliases or if there is a better way of
> accomplishing the same thing.

iptables does not recognise the "eth0:1" syntax.  use ip aliases:

	ip address add x.x.x.x dev eth0

and then filter on "-i eth0" and ip address "x.x.x.x"

-j


^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: iptables and device aliases
@ 2004-08-18 19:20 Dave Warchol
  0 siblings, 0 replies; 5+ messages in thread
From: Dave Warchol @ 2004-08-18 19:20 UTC (permalink / raw)
  To: netfilter

I will still need to define the device alias, correct?
Thanks
Dave

>>> "Jason Opperisano" <Jopperisano@alphanumeric.com> 08/18/04 09:25AM
>>>
> Hello:
>          I am new to the list.  I am currently using iptables to
> redirect traffic on eth0 for ports 80 and 443,  to ports 8080 and
8443,
> respectively.  I have request to set up another DNS name for this
server
> and to redirect entries coming to port 443 for this new DNS name to
port
> 8444.  I think that one way of doing this would be to define a
device
> alias, say eth0:1, assign it a new IP address and associate the new
DNS
> name with that new IP.  I could then use iptables to redirect traffic
on
> eth0:1, port 443 to port 8444.  I was just wondering if iptables
> recognizes/supports device aliases or if there is a better way of
> accomplishing the same thing.

iptables does not recognise the "eth0:1" syntax.  use ip aliases:

	ip address add x.x.x.x dev eth0

and then filter on "-i eth0" and ip address "x.x.x.x"

-j



^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: iptables and device aliases
@ 2004-08-18 19:33 Daniel Chemko
  0 siblings, 0 replies; 5+ messages in thread
From: Daniel Chemko @ 2004-08-18 19:33 UTC (permalink / raw)
  To: Dave Warchol, netfilter

Dave Warchol wrote:
> I will still need to define the device alias, correct?
> Thanks
> Dave
> 

The alias is optional. It's useful only if you're using older programs
pre-iproute2. It doesn't serve any purpose in the new system in my
experience.

The alias can NOT used in conjunction with netfilter.

If you define eth0, eth0:0, and eth0:1, then netfilter just interprets
them all as eth0.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: iptables and device aliases
@ 2004-08-18 19:41 Jason Opperisano
  0 siblings, 0 replies; 5+ messages in thread
From: Jason Opperisano @ 2004-08-18 19:41 UTC (permalink / raw)
  To: netfilter

> I will still need to define the device alias, correct?
> Thanks
> Dave

yeah--sorta...the term "device alias" is misleading--it's an IP alias.  full example...  today you have an external interface on your firewall; eth0, with IP address 1.2.3.4/24.  you currently redirect port 443 to 10.1.1.100 port 8443, like so:

  -A PREROUTING -i eth0 -p tcp --dport 443 \
     -j DNAT --to-destination 10.1.1.100:8443

you now want to start redirecting port 443 on IP 1.2.3.5 to 10.1.1.101 on port 8443 (in addition to the above):

  ip address add 1.2.3.5 dev eth0

  -A PREROUTING -i eth0 -p tcp -d 1.2.3.4 --dport 443 \
     -j DNAT --to-destination 10.1.1.100:8443

  -A PREROUTING -i eth0 -p tcp -d 1.2.3.5 --dport 443 \
     -j DNAT --to-destination 10.1.1.101:8443

since the inbound interface is "eth0" whether the destination IP is .4 or .5--you need to distinguish between the two with "-d x.x.x.x" so the traffic gets redirected correctly.

make sense?

-j

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2004-08-18 19:41 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-08-18 13:18 iptables and device aliases Dave Warchol
  -- strict thread matches above, loose matches on Subject: below --
2004-08-18 13:25 Jason Opperisano
2004-08-18 19:20 Dave Warchol
2004-08-18 19:33 Daniel Chemko
2004-08-18 19:41 Jason Opperisano

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.