firewall rules for subinterfaces

Linux Netfilter discussions
 help / color / mirror / Atom feed

* firewall rules for subinterfaces
@ 2004-10-15  3:55 Chris Verges
  2004-10-15 12:03 ` Leonardo Rodrigues Magalhães
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Chris Verges @ 2004-10-15  3:55 UTC (permalink / raw)
  To: netfilter

Hey,

Is there a way to add firewall rules for subinterfaces?  I'm
trying to do the equivalent of:

  eth0   Intel Pro 10/100
    eth0:0   192.168.1.1
    eth0:1   192.168.2.1

  iptables -A INPUT -p icmp -i eth0:0 -j DENY
  iptables -A INPUT -p icmp -i eth0:1 -j ACCEPT

When I try to do this at the command line, iptables spits back
an error about how colons (:) are not allowed in the interface
name.  That brings up the interesting question of how to do this
whole thing ...

Any advice or insight is greatly appreciated!

Thanks,

chris
-- 
http://headnut.org
squirrel@headnut.org

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: firewall rules for subinterfaces
  2004-10-15  3:55 firewall rules for subinterfaces Chris Verges
@ 2004-10-15 12:03 ` Leonardo Rodrigues Magalhães
  2004-10-15 12:06 ` George Alexandru Dragoi
  2004-10-15 13:20 ` Aleksandar Milivojevic
  2 siblings, 0 replies; 6+ messages in thread
From: Leonardo Rodrigues Magalhães @ 2004-10-15 12:03 UTC (permalink / raw)
  To: Chris Verges, netfilter


    Short answer: NO

    Better answer: iptables cannot use subinterfaces. What you can do is, 
instead of using the subinterface as your criteria, use your IP addresses. 
So, in your situation, you can do:

iptables -A INPUT -i eth0 -p icmp -d 192.168.1.1 -j DROP
iptables -A INPUT -i eth0 -p icmp -d 192.168.2.1 -j ACCEPT

    If you REALLY need to difference subinterfaces, then you should try to 
split subinterfaces in two real interfaces.


    Sincerily,
    Leonardo Rodrigues

----- Original Message ----- 
From: "Chris Verges" <squirrel@headnut.org>
To: <netfilter@lists.netfilter.org>
Sent: Friday, October 15, 2004 12:55 AM
Subject: firewall rules for subinterfaces


> Hey,
>
> Is there a way to add firewall rules for subinterfaces?  I'm
> trying to do the equivalent of:
>
>  eth0   Intel Pro 10/100
>    eth0:0   192.168.1.1
>    eth0:1   192.168.2.1
>
>  iptables -A INPUT -p icmp -i eth0:0 -j DENY
>  iptables -A INPUT -p icmp -i eth0:1 -j ACCEPT
>
> When I try to do this at the command line, iptables spits back
> an error about how colons (:) are not allowed in the interface
> name.  That brings up the interesting question of how to do this
> whole thing ...
>
> Any advice or insight is greatly appreciated!
>
> Thanks,
>
> chris
> -- 
> http://headnut.org
> squirrel@headnut.org
>
> 



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: firewall rules for subinterfaces
  2004-10-15  3:55 firewall rules for subinterfaces Chris Verges
  2004-10-15 12:03 ` Leonardo Rodrigues Magalhães
@ 2004-10-15 12:06 ` George Alexandru Dragoi
  2004-10-15 13:20 ` Aleksandar Milivojevic
  2 siblings, 0 replies; 6+ messages in thread
From: George Alexandru Dragoi @ 2004-10-15 12:06 UTC (permalink / raw)
  To: netfilter

The -i is for interfaces only, not ip aliases. Try

iptables -A INPUT -p icmp -i eth0 -d 192.168.1.1 -j DENY
iptables -A INPUT -p icmp -i eth0 -d 192.168.2.1 -j ACCEPT

And, I don't thing there is such a thing called DENY unless You -N it.

On Thu, 14 Oct 2004 23:55:35 -0400, Chris Verges <squirrel@headnut.org> wrote:
> Hey,
> 
> Is there a way to add firewall rules for subinterfaces?  I'm
> trying to do the equivalent of:
> 
>   eth0   Intel Pro 10/100
>     eth0:0   192.168.1.1
>     eth0:1   192.168.2.1
> 
>   iptables -A INPUT -p icmp -i eth0:0 -j DENY
>   iptables -A INPUT -p icmp -i eth0:1 -j ACCEPT
> 
> When I try to do this at the command line, iptables spits back
> an error about how colons (:) are not allowed in the interface
> name.  That brings up the interesting question of how to do this
> whole thing ...
> 
> Any advice or insight is greatly appreciated!
> 
> Thanks,
> 
> chris
> --
> http://headnut.org
> squirrel@headnut.org
> 
> 


-- 
Bla bla


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: firewall rules for subinterfaces
  2004-10-15  3:55 firewall rules for subinterfaces Chris Verges
  2004-10-15 12:03 ` Leonardo Rodrigues Magalhães
  2004-10-15 12:06 ` George Alexandru Dragoi
@ 2004-10-15 13:20 ` Aleksandar Milivojevic
  2004-10-15 14:25   ` Andre Correa
  2 siblings, 1 reply; 6+ messages in thread
From: Aleksandar Milivojevic @ 2004-10-15 13:20 UTC (permalink / raw)
  To: netfilter

Chris Verges wrote:
> Hey,
> 
> Is there a way to add firewall rules for subinterfaces?  I'm
> trying to do the equivalent of:
> 
>   eth0   Intel Pro 10/100
>     eth0:0   192.168.1.1
>     eth0:1   192.168.2.1
> 
>   iptables -A INPUT -p icmp -i eth0:0 -j DENY
>   iptables -A INPUT -p icmp -i eth0:1 -j ACCEPT

Nope you can't do that.  There's no point in doing it.  Just as you 
added virtual interfaces to your firewall box, so can any node on your 
network, effectively bypassing such firewall rules.  If you have a need 
for such rules, than you really have a need for two separate physical 
networks (otherwise, you are implementing security by obscurity, which 
doesn't really work).

If all you wanted to do is to force clients to use specific IP address 
on your firewall box, then do it by specifying destination IP address 
("-i eth0 -d 192.168.1.1 -j DROP" and "-i eth0 -d 192.168.2.1 -j 
ACCEPT").  BTW, dropping all ICMP traffic might not be a good idea.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: firewall rules for subinterfaces
  2004-10-15 13:20 ` Aleksandar Milivojevic
@ 2004-10-15 14:25   ` Andre Correa
  2004-10-15 14:44     ` Cedric Blancher
  0 siblings, 1 reply; 6+ messages in thread
From: Andre Correa @ 2004-10-15 14:25 UTC (permalink / raw)
  To: netfilter


Hi, there is really no meaning on setting rules for subinterfaces, If 
you need to segment your network and can't plug new NICs look for VLANs. 
You can apply rules indicating VLAN interfaces (-i and -o) like this: 
eth0.100, eth0.200, etc...

Somebody correct me if I'm wrong but this was made possible under >= 2.6 
kernel versions, on 2.4.x you can't do it too.

Hope it helps.

Andre



Aleksandar Milivojevic wrote:
> Chris Verges wrote:
> 
>> Hey,
>>
>> Is there a way to add firewall rules for subinterfaces?  I'm
>> trying to do the equivalent of:
>>
>>   eth0   Intel Pro 10/100
>>     eth0:0   192.168.1.1
>>     eth0:1   192.168.2.1
>>
>>   iptables -A INPUT -p icmp -i eth0:0 -j DENY
>>   iptables -A INPUT -p icmp -i eth0:1 -j ACCEPT
> 
> 
> Nope you can't do that.  There's no point in doing it.  Just as you 
> added virtual interfaces to your firewall box, so can any node on your 
> network, effectively bypassing such firewall rules.  If you have a need 
> for such rules, than you really have a need for two separate physical 
> networks (otherwise, you are implementing security by obscurity, which 
> doesn't really work).
> 
> If all you wanted to do is to force clients to use specific IP address 
> on your firewall box, then do it by specifying destination IP address 
> ("-i eth0 -d 192.168.1.1 -j DROP" and "-i eth0 -d 192.168.2.1 -j 
> ACCEPT").  BTW, dropping all ICMP traffic might not be a good idea.
> 



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: firewall rules for subinterfaces
  2004-10-15 14:25   ` Andre Correa
@ 2004-10-15 14:44     ` Cedric Blancher
  0 siblings, 0 replies; 6+ messages in thread
From: Cedric Blancher @ 2004-10-15 14:44 UTC (permalink / raw)
  To: Andre Correa; +Cc: netfilter

Le ven 15/10/2004 à 16:25, Andre Correa a écrit :
> Hi, there is really no meaning on setting rules for subinterfaces, If 
> you need to segment your network and can't plug new NICs look for VLANs. 
> You can apply rules indicating VLAN interfaces (-i and -o) like this: 
> eth0.100, eth0.200, etc...

Definitly true.
Different IP addresses spaces on the same ethernet segment are a joke to
fool.

> Somebody correct me if I'm wrong but this was made possible under >= 2.6 
> kernel versions, on 2.4.x you can't do it too.

VLAN support is available for kernel >= 2.4.14 and 2.6. Otherwise, you
can find patches for >=2.2.13 at :

	http://www.candelatech.com/~greear/vlan.html

You can also find a "Linux VLAN + Cisco" HOWTO at :

	http://www.candelatech.com/~greear/vlan/cisco_howto.html


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2004-10-15 14:44 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-10-15  3:55 firewall rules for subinterfaces Chris Verges
2004-10-15 12:03 ` Leonardo Rodrigues Magalhães
2004-10-15 12:06 ` George Alexandru Dragoi
2004-10-15 13:20 ` Aleksandar Milivojevic
2004-10-15 14:25   ` Andre Correa
2004-10-15 14:44     ` Cedric Blancher

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox