IP Aliasing

IP Aliasing

[Michael Montero]

I'm trying to set up 2 IP aliases on my firewall box.  It's Redhat 7.2.  I
believe I have the 2 alias (eth0:0 and eth0:1) set up properly.  Is there
anything in particular I need to do with iptables to activate these 2
interfaces?  I've attempted to execute rules with the interface specified
as eth0:0 and iptables does not seem to like that.  Anyone have any docs I
can read about proper IP aliasing under Redhat and what I need to do for
iptables?

Thanks!

Re: IP Aliasing

[George Georgalis]

On Fri, May 31, 2002 at 12:55:57PM -0400, Michael Montero wrote:
>I'm trying to set up 2 IP aliases on my firewall box.  It's Redhat 7.2.  I
>believe I have the 2 alias (eth0:0 and eth0:1) set up properly.  Is there
>anything in particular I need to do with iptables to activate these 2
>interfaces?  I've attempted to execute rules with the interface specified
>as eth0:0 and iptables does not seem to like that.  Anyone have any docs I
>can read about proper IP aliasing under Redhat and what I need to do for
>iptables?
>

I would try '-i eth0' for all you aliases and use '-i/-o address[/mask]'
if you refer to a particular subnet. Reasoning: the interface is being
aliased and iptables sees them all as eth0.

Let me know if this works ;^) I'll be trying it shortly.

// George

-- 
GEORGE GEORGALIS, System Admin/Architect    cell: 347-451-8229 
Security Services, Web, Mail,            mailto:george@galis.org 
File, Print, DB and DNS Servers.       http://www.galis.org/george 

Re: IP Aliasing

[j davis]

this does work, this is proablly a weekley question trailing the ever 
popular
Q   what ports for my game? This question has been asked 2 or three times 
just in the last few days...view the Virtual Host emails this week,

>From: George Georgalis <georgw@galis.org>
>To: Michael Montero <mmontero@mail.communityconnect.com>
>CC: netfilter@lists.samba.org
>Subject: Re: IP Aliasing
>Date: Fri, 31 May 2002 13:18:49 -0400
>MIME-Version: 1.0
>Received: from hotmail.com ([65.54.236.29]) by hotmail.com with Microsoft 
>SMTPSVC(5.0.2195.4905); Fri, 31 May 2002 10:29:25 -0700
>Received: from lists.samba.org ([198.186.203.85]) by hotmail.com with 
>Microsoft SMTPSVC(5.0.2195.4905); Fri, 31 May 2002 10:19:23 -0700
>Received: from va.samba.org (localhost [127.0.0.1])by lists.samba.org 
>(Postfix) with ESMTPid E5C4045C7; Fri, 31 May 2002 10:22:21 -0700 (PDT)
>Received: from trot.galis.org (ool-43530772.dyn.optonline.net 
>[67.83.7.114])by lists.samba.org (Postfix) with ESMTP id 4AD554109for 
><netfilter@lists.samba.org>; Fri, 31 May 2002 10:20:14 -0700 (PDT)
>Received: (from gx@localhost)by trot.galis.org (8.11.6/8.11.6) id 
>g4VHInI19140;Fri, 31 May 2002 13:18:49 -0400
>Delivered-To: netfilter@lists.samba.org
>Message-ID: <20020531131849.C17865@trot.haven.dom>
>References: <Pine.LNX.4.04.10205311254170.5797-100000@lysa>
>User-Agent: Mutt/1.2.5.1i
>In-Reply-To: <Pine.LNX.4.04.10205311254170.5797-100000@lysa>; from 
>mmontero@mail.communityconnect.com on Fri, May 31, 2002 at 12:55:57PM -0400
>Sender: netfilter-admin@lists.samba.org
>Errors-To: netfilter-admin@lists.samba.org
>X-BeenThere: netfilter@lists.samba.org
>X-Mailman-Version: 2.0.8
>Precedence: bulk
>List-Help: <mailto:netfilter-request@lists.samba.org?subject=help>
>List-Post: <mailto:netfilter@lists.samba.org>
>List-Subscribe: 
><http://lists.samba.org/listinfo/netfilter>,<mailto:netfilter-request@lists.samba.org?subject=subscribe>
>List-Id: netfilter user discussion list <netfilter.lists.samba.org>
>List-Unsubscribe: 
><http://lists.samba.org/listinfo/netfilter>,<mailto:netfilter-request@lists.samba.org?subject=unsubscribe>
>List-Archive: <http://lists.samba.org/pipermail/netfilter/>
>Return-Path: netfilter-admin@lists.samba.org
>X-OriginalArrivalTime: 31 May 2002 17:19:25.0848 (UTC) 
>FILETIME=[504C3180:01C208C7]
>
>On Fri, May 31, 2002 at 12:55:57PM -0400, Michael Montero wrote:
> >I'm trying to set up 2 IP aliases on my firewall box.  It's Redhat 7.2.  
>I
> >believe I have the 2 alias (eth0:0 and eth0:1) set up properly.  Is there
> >anything in particular I need to do with iptables to activate these 2
> >interfaces?  I've attempted to execute rules with the interface specified
> >as eth0:0 and iptables does not seem to like that.  Anyone have any docs 
>I
> >can read about proper IP aliasing under Redhat and what I need to do for
> >iptables?
> >
>
>I would try '-i eth0' for all you aliases and use '-i/-o address[/mask]'
>if you refer to a particular subnet. Reasoning: the interface is being
>aliased and iptables sees them all as eth0.
>
>Let me know if this works ;^) I'll be trying it shortly.
>
>// George
>
>--
>GEORGE GEORGALIS, System Admin/Architect    cell: 347-451-8229
>Security Services, Web, Mail,            mailto:george@galis.org
>File, Print, DB and DNS Servers.       http://www.galis.org/george




_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

ip aliasing

[John Black]

i'm trying to setup my firewall to do ip aliasing.  i have two private ip 
address that i would like aliased.

if i run the command:
ifconfig eth0:0 10.10.10.11 (public address) netmask 255.255.255.0

then in my firewall script i have:
    iptables -t nat -A PREROUTING -d 192.168.180.181 -i eth0 \
                -j DNAT --to-destination 10.10.10.11

is this right?  since eth0 is the address connecting the firewall to the 
internet?

thanks
john 

Re: ip aliasing (nfcan: addressed to exclusive sender for this address)

[Jim Laurino]

On 2005.06.18 20:08, John Black - black@arbbs.net wrote:
> i'm trying to setup my firewall to do ip aliasing.  i have two private ip  
> address that i would like aliased.

I am not sure I understand what you mean by 'ip aliasing'.
DNAT can translate incoming destination addresses to new
destination addresses. This is usually done to allow
outside access to individual ports on hosts on your
private network.

If you wish to allow two hosts on the private network
to share one public ip address, then you probably want to use
masquerade (if the public ip address is assigned dynamically)
or SNAT (if the public ip address is static).

Source NAT can convert the source address of outgoing
packets from the private addresses of a group of hosts
on the private network into your shared, public ip address.
SNAT will also take care of the reverse translation
of destination addresses in reply packets from the outside.

> 
> if i run the command:
> ifconfig eth0:0 10.10.10.11 (public address) netmask 255.255.255.0
> 
> then in my firewall script i have:
>    iptables -t nat -A PREROUTING -d 192.168.180.181 -i eth0 \
>                -j DNAT --to-destination 10.10.10.11
> 
> is this right?  since eth0 is the address connecting the firewall to the  
> internet?

I think you have the two ip address fields backwards.

try -d 10.10.10.11
- This is the destination address as it arrives at the firewall.

try -j DNAT --to-destination 192.168.180.181
- This is the private destination address
  that the incoming public address should be translated to.

Also, you may need other rules to forward the packet
after the destination address has been translated.

-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.