* Re: firewall rules for subinterfaces
2004-10-15 3:55 firewall rules for subinterfaces Chris Verges
@ 2004-10-15 12:03 ` Leonardo Rodrigues Magalhães
2004-10-15 12:06 ` George Alexandru Dragoi
2004-10-15 13:20 ` Aleksandar Milivojevic
2 siblings, 0 replies; 6+ messages in thread
From: Leonardo Rodrigues Magalhães @ 2004-10-15 12:03 UTC (permalink / raw)
To: Chris Verges, netfilter
Short answer: NO
Better answer: iptables cannot use subinterfaces. What you can do is,
instead of using the subinterface as your criteria, use your IP addresses.
So, in your situation, you can do:
iptables -A INPUT -i eth0 -p icmp -d 192.168.1.1 -j DROP
iptables -A INPUT -i eth0 -p icmp -d 192.168.2.1 -j ACCEPT
If you REALLY need to difference subinterfaces, then you should try to
split subinterfaces in two real interfaces.
Sincerily,
Leonardo Rodrigues
----- Original Message -----
From: "Chris Verges" <squirrel@headnut.org>
To: <netfilter@lists.netfilter.org>
Sent: Friday, October 15, 2004 12:55 AM
Subject: firewall rules for subinterfaces
> Hey,
>
> Is there a way to add firewall rules for subinterfaces? I'm
> trying to do the equivalent of:
>
> eth0 Intel Pro 10/100
> eth0:0 192.168.1.1
> eth0:1 192.168.2.1
>
> iptables -A INPUT -p icmp -i eth0:0 -j DENY
> iptables -A INPUT -p icmp -i eth0:1 -j ACCEPT
>
> When I try to do this at the command line, iptables spits back
> an error about how colons (:) are not allowed in the interface
> name. That brings up the interesting question of how to do this
> whole thing ...
>
> Any advice or insight is greatly appreciated!
>
> Thanks,
>
> chris
> --
> http://headnut.org
> squirrel@headnut.org
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: firewall rules for subinterfaces
2004-10-15 3:55 firewall rules for subinterfaces Chris Verges
2004-10-15 12:03 ` Leonardo Rodrigues Magalhães
@ 2004-10-15 12:06 ` George Alexandru Dragoi
2004-10-15 13:20 ` Aleksandar Milivojevic
2 siblings, 0 replies; 6+ messages in thread
From: George Alexandru Dragoi @ 2004-10-15 12:06 UTC (permalink / raw)
To: netfilter
The -i is for interfaces only, not ip aliases. Try
iptables -A INPUT -p icmp -i eth0 -d 192.168.1.1 -j DENY
iptables -A INPUT -p icmp -i eth0 -d 192.168.2.1 -j ACCEPT
And, I don't thing there is such a thing called DENY unless You -N it.
On Thu, 14 Oct 2004 23:55:35 -0400, Chris Verges <squirrel@headnut.org> wrote:
> Hey,
>
> Is there a way to add firewall rules for subinterfaces? I'm
> trying to do the equivalent of:
>
> eth0 Intel Pro 10/100
> eth0:0 192.168.1.1
> eth0:1 192.168.2.1
>
> iptables -A INPUT -p icmp -i eth0:0 -j DENY
> iptables -A INPUT -p icmp -i eth0:1 -j ACCEPT
>
> When I try to do this at the command line, iptables spits back
> an error about how colons (:) are not allowed in the interface
> name. That brings up the interesting question of how to do this
> whole thing ...
>
> Any advice or insight is greatly appreciated!
>
> Thanks,
>
> chris
> --
> http://headnut.org
> squirrel@headnut.org
>
>
--
Bla bla
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: firewall rules for subinterfaces
2004-10-15 3:55 firewall rules for subinterfaces Chris Verges
2004-10-15 12:03 ` Leonardo Rodrigues Magalhães
2004-10-15 12:06 ` George Alexandru Dragoi
@ 2004-10-15 13:20 ` Aleksandar Milivojevic
2004-10-15 14:25 ` Andre Correa
2 siblings, 1 reply; 6+ messages in thread
From: Aleksandar Milivojevic @ 2004-10-15 13:20 UTC (permalink / raw)
To: netfilter
Chris Verges wrote:
> Hey,
>
> Is there a way to add firewall rules for subinterfaces? I'm
> trying to do the equivalent of:
>
> eth0 Intel Pro 10/100
> eth0:0 192.168.1.1
> eth0:1 192.168.2.1
>
> iptables -A INPUT -p icmp -i eth0:0 -j DENY
> iptables -A INPUT -p icmp -i eth0:1 -j ACCEPT
Nope you can't do that. There's no point in doing it. Just as you
added virtual interfaces to your firewall box, so can any node on your
network, effectively bypassing such firewall rules. If you have a need
for such rules, than you really have a need for two separate physical
networks (otherwise, you are implementing security by obscurity, which
doesn't really work).
If all you wanted to do is to force clients to use specific IP address
on your firewall box, then do it by specifying destination IP address
("-i eth0 -d 192.168.1.1 -j DROP" and "-i eth0 -d 192.168.2.1 -j
ACCEPT"). BTW, dropping all ICMP traffic might not be a good idea.
--
Aleksandar Milivojevic <amilivojevic@pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: firewall rules for subinterfaces
2004-10-15 13:20 ` Aleksandar Milivojevic
@ 2004-10-15 14:25 ` Andre Correa
2004-10-15 14:44 ` Cedric Blancher
0 siblings, 1 reply; 6+ messages in thread
From: Andre Correa @ 2004-10-15 14:25 UTC (permalink / raw)
To: netfilter
Hi, there is really no meaning on setting rules for subinterfaces, If
you need to segment your network and can't plug new NICs look for VLANs.
You can apply rules indicating VLAN interfaces (-i and -o) like this:
eth0.100, eth0.200, etc...
Somebody correct me if I'm wrong but this was made possible under >= 2.6
kernel versions, on 2.4.x you can't do it too.
Hope it helps.
Andre
Aleksandar Milivojevic wrote:
> Chris Verges wrote:
>
>> Hey,
>>
>> Is there a way to add firewall rules for subinterfaces? I'm
>> trying to do the equivalent of:
>>
>> eth0 Intel Pro 10/100
>> eth0:0 192.168.1.1
>> eth0:1 192.168.2.1
>>
>> iptables -A INPUT -p icmp -i eth0:0 -j DENY
>> iptables -A INPUT -p icmp -i eth0:1 -j ACCEPT
>
>
> Nope you can't do that. There's no point in doing it. Just as you
> added virtual interfaces to your firewall box, so can any node on your
> network, effectively bypassing such firewall rules. If you have a need
> for such rules, than you really have a need for two separate physical
> networks (otherwise, you are implementing security by obscurity, which
> doesn't really work).
>
> If all you wanted to do is to force clients to use specific IP address
> on your firewall box, then do it by specifying destination IP address
> ("-i eth0 -d 192.168.1.1 -j DROP" and "-i eth0 -d 192.168.2.1 -j
> ACCEPT"). BTW, dropping all ICMP traffic might not be a good idea.
>
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: firewall rules for subinterfaces
2004-10-15 14:25 ` Andre Correa
@ 2004-10-15 14:44 ` Cedric Blancher
0 siblings, 0 replies; 6+ messages in thread
From: Cedric Blancher @ 2004-10-15 14:44 UTC (permalink / raw)
To: Andre Correa; +Cc: netfilter
Le ven 15/10/2004 à 16:25, Andre Correa a écrit :
> Hi, there is really no meaning on setting rules for subinterfaces, If
> you need to segment your network and can't plug new NICs look for VLANs.
> You can apply rules indicating VLAN interfaces (-i and -o) like this:
> eth0.100, eth0.200, etc...
Definitly true.
Different IP addresses spaces on the same ethernet segment are a joke to
fool.
> Somebody correct me if I'm wrong but this was made possible under >= 2.6
> kernel versions, on 2.4.x you can't do it too.
VLAN support is available for kernel >= 2.4.14 and 2.6. Otherwise, you
can find patches for >=2.2.13 at :
http://www.candelatech.com/~greear/vlan.html
You can also find a "Linux VLAN + Cisco" HOWTO at :
http://www.candelatech.com/~greear/vlan/cisco_howto.html
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
^ permalink raw reply [flat|nested] 6+ messages in thread