Re: alias interfaces

Re: alias interfaces

[Mario Antonio]

Antony,

Thanks again for your kindness.

I was also doubting about routing problems, but why when I accept all the
traffic in the INPUT chain, everything works find?


Linux 7.3 and iptables v1.2.7a
eth0=10.10.10.239
eth0:0=10.10.13.227
 workstation accessing the server: 10.10.10.19 netmask 255.255.255.0



This is my ifconfig:
eth0      Link encap:Ethernet  HWaddr 00:06:5B:8C:72:5F
          inet addr:10.10.10.239  Bcast:10.10.10.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:41195 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19820 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:12109228 (11.5 Mb)  TX bytes:3289639 (3.1 Mb)
          Interrupt:16 Base address:0xa000

eth0:0    Link encap:Ethernet  HWaddr 00:06:5B:8C:72:5F
          inet addr:10.10.13.227  Bcast:10.10.13.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:16 Base address:0xa000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:11 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:812 (812.0 b)  TX bytes:812 (812.0 b)


This is my netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
10.10.10.0    0.0.0.0         255.255.255.0   U        40 0          0 eth0
10.10.13.0    0.0.0.0         255.255.255.0   U        40 0          0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U        40 0          0 lo
0.0.0.0         10.10.10.1    0.0.0.0         UG       40 0          0 eth0


My simple rules againg:

#! /bin/sh
 /usr/local/sbin/iptables -F
 /usr/local/sbin/iptables -P INPUT DROP
 #/usr/local/sbin/iptables -A INPUT   -j LOG --log-prefix "IPTABLES-IN "
 /usr/local/sbin/iptables -P FORWARD ACCEPT
 /usr/local/sbin/iptables -P OUTPUT ACCEPT
 /usr/local/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT
/usr/local/sbin/iptables -A INPUT -s 10.10.10.19  -d 10.10.10.239 -p tcp -m
tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
/usr/local/sbin/iptables -A INPUT -i eth0  -s 10.10.10.19  -d
 10.10.13.227 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
/usr/local/sbin/iptables -A INPUT   -j LOG --log-prefix "IPTABLES-IN "


Regards

Mario


----------------------------------------------------------------------------
----------------
Log entries do not tell you whether the packet is accepted, dropped,
rejected, or whatever.   They simply record the fact that the packet was
seen
at the position in the ruleset where you have your logging rule.

It is the rule/s which come after that (or the default policy) which
determines what actually happens to the packets.

What netmask do you have on your machines ?

Antony.

---
[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]

Re: alias interfaces

[Antony Stone]

On Saturday 19 October 2002 12:40 am, Mario Antonio wrote:

> Antony,
>
> Thanks again for your kindness.
>
> I was also doubting about routing problems, but why when I accept all the
> traffic in the INPUT chain, everything works fine?

I can't say, but your netmask / routing table is the problem.

> Linux 7.3 and iptables v1.2.7a
> eth0=10.10.10.239
> eth0:0=10.10.13.227
>  workstation accessing the server: 10.10.10.19 netmask 255.255.255.0

This is a Class C netmask.   All machines on the local network must have 
10.10.10 as the first three bytes of the address.   You are trying to contact 
address 10.10.13.227, which is on a different network.

Change the aliased address so that it is on the 10.10.10.0 network, or change 
your netmask so you have at least a Class B subnet.

Antony

-- 

KDE 3.0.3 contains an important fix for handling SSL certificates.  Users of 
Internet Explorer, which suffers from the same problem but which
does not yet have a fix available, are also encouraged to switch to KDE 3.0.3.

http://www.kde.org/announcements/announce-3.0.3.html

Re: alias interfaces

[Mario Antonio]

Antony,

Thanks for your feedback and patience.
Things are working nicely now.

Regards  ( By the way, I enjoy your sayings in your emails)

Mario


----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.netfilter.org>
Sent: Saturday, October 19, 2002 4:05 AM
Subject: Re: alias interfaces


> On Saturday 19 October 2002 12:40 am, Mario Antonio wrote:
>
> > Antony,
> >
> > Thanks again for your kindness.
> >
> > I was also doubting about routing problems, but why when I accept all
the
> > traffic in the INPUT chain, everything works fine?
>
> I can't say, but your netmask / routing table is the problem.
>
> > Linux 7.3 and iptables v1.2.7a
> > eth0=10.10.10.239
> > eth0:0=10.10.13.227
> >  workstation accessing the server: 10.10.10.19 netmask 255.255.255.0
>
> This is a Class C netmask.   All machines on the local network must have
> 10.10.10 as the first three bytes of the address.   You are trying to
contact
> address 10.10.13.227, which is on a different network.
>
> Change the aliased address so that it is on the 10.10.10.0 network, or
change
> your netmask so you have at least a Class B subnet.
>
> Antony
>
> --
>
> KDE 3.0.3 contains an important fix for handling SSL certificates.  Users
of
> Internet Explorer, which suffers from the same problem but which
> does not yet have a fix available, are also encouraged to switch to KDE
3.0.3.
>
> http://www.kde.org/announcements/announce-3.0.3.html
>
> ---
> [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection
System]
>
>

---
[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]

alias interfaces

[Mario Antonio]

Dear List,

I have configured eth0(10.10.10.2) and the alias interface eth0:0
(10.10.10.3)

do I have to specify both interfaces in my set of rules to allow traffic in?

something like:

/usr/local/sbin/iptables -A INPUT -i eth0    -s 0/0 -d 10.10.10.2 -p tcp -m
tcp --dport 80 -j ACCEPT
/usr/local/sbin/iptables -A INPUT -i eth0:0  -s 0/0 -d 10.10.10.3 -p tcp -m
tcp --dport 80 -j ACCEPT

How shoud I handle the alias interfaces?

Regards

Mario

---
[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]

Re: alias interfaces

[Antony Stone]

On Friday 18 October 2002 5:20 pm, Mario Antonio wrote:

> Dear List,
>
> I have configured eth0(10.10.10.2) and the alias interface eth0:0
> (10.10.10.3)
>
> do I have to specify both interfaces in my set of rules to allow traffic
> in?

No, in fact you cannot.

> /usr/local/sbin/iptables -A INPUT -i eth0    -s 0/0 -d 10.10.10.2 -p tcp -m
> tcp --dport 80 -j ACCEPT
> /usr/local/sbin/iptables -A INPUT -i eth0:0  -s 0/0 -d 10.10.10.3 -p tcp -m
> tcp --dport 80 -j ACCEPT

You will find that the latter rule generates an error, since netfilter does 
not allow : characters in interface names.

> How should I handle the alias interfaces?

For the INPUT chain, specify the destination address.   For the FORWARD 
chain, it doesn't matter anyway.

Antony.

-- 

G- GIT/E d- s+:--(-) a+ C++++$ UL++++$ P+(---)>++ L+++(++++)$ !E W(-) N(-) o? 
w-- O !M V+++(--) !PS !PE Y+ PGP+> t- tv@ b+++ DI++ D--- e++>+++ h++ r@? 5? 
!X- !R K--?

Re: alias interfaces

[Antony Stone]

On Friday 18 October 2002 8:57 pm, Mario Antonio wrote:

> Antony,
>
> Thanks for your reply. I really appreciate it.
>
> Linux 7.3 and iptables v1.2.7a
> eth0=10.10.10.239
> eth0:0=10.10.13.227
>
> workstation accessing the server: 10.10.10.19
>
> I have the following testing set of rules:
>
> #! /bin/sh
> /usr/local/sbin/iptables -F
> /usr/local/sbin/iptables -P INPUT DROP
> #/usr/local/sbin/iptables -A INPUT   -j LOG --log-prefix "IPTABLES-IN "
> /usr/local/sbin/iptables -P FORWARD ACCEPT
> /usr/local/sbin/iptables -P OUTPUT ACCEPT
> /usr/local/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j
> ACCEPT
> /usr/local/sbin/iptables -A INPUT -s 10.10.10.19  -d 10.10.10.239 -p tcp -m
> tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> /usr/local/sbin/iptables -A INPUT -i eth0  -s 10.10.10.19  -d
> 10.10.13.227 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
>
> With my set of rules I can access 10.10.10.239 without any problem.
> But to access 10.10.13.227, I have to set -->iptables -P INPUT ACCEPT
> What am I missing?

I don't know.   Try adding a LOGging rule at the end of your INPUT chain to 
see what extra packets are trying to get in but are being blocked.

Antony.

-- 

Abandon hope, all ye who enter here.
You'll feel much better about things once you do.

Re: alias interfaces

[Antony Stone]

On Friday 18 October 2002 9:45 pm, Mario Antonio wrote:

> Antony,
>
> I add the following rule:
> /usr/local/sbin/iptables -A INPUT   -j LOG --log-prefix "IPTABLES-IN "
>
> And I get the following message, While triyng to access through port 80:
>
> Oct 18 16:30:00 web_2 kernel: IPTABLES-IN IN=eth0 OUT=
> MAC=00:06:5b:8c:72:5f:00:b0:d0:15:1d:37:08:00 SRC=10.10.10.19
> DST=10.10.13.227 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=34547 PROTO=TCP
> SPT=1799 DPT=80 WINDOW=65520 RES=0x00 SYN URGP=0
>
> Any clue?
> How can this log tell me that that packet was blocked?

Log entries do not tell you whether the packet is accepted, dropped, 
rejected, or whatever.   They simply record the fact that the packet was seen 
at the position in the ruleset where you have your logging rule.

It is the rule/s which come after that (or the default policy) which 
determines what actually happens to the packets.

What netmask do you have on your machines ?

Antony.

PS: Please answer to the list.

-- 

Anything that improbable is effectively impossible.

 - Murray Gell-Mann, Nobel Prizewinner in Physics