Iptables and vlan interfaces

Iptables and vlan interfaces

[sebastian.ionita]

Why doesn't iptables works with vlans interfaces? 

iptables -t mangle -A FORWARD -i eth0 -o eth1.11 -j MARK --set-mark 4
Gives me the error:
host/network eth1.11 not found. 

I'm running kernel version 2.4.27. with iptables 1.2.9 

The eth1.11 exists works perfectly. 

Seby, 

Re: Iptables and vlan interfaces

[Sascha Reissner]

sebastian.ionita@focomunicatii.ro wrote:
> Why doesn't iptables works with vlans interfaces?
> iptables -t mangle -A FORWARD -i eth0 -o eth1.11 -j MARK --set-mark 4
> Gives me the error:
> host/network eth1.11 not found.
> I'm running kernel version 2.4.27. with iptables 1.2.9
> The eth1.11 exists works perfectly.
> Seby,
> 
> 
> 

eth1.11 is the same physical device as eth1. use eth1 in your rule and 
you are fine. netfiler does IMHO not support filtering by logical interface.

Re: Iptables and vlan interfaces

[Marc Haber]

On Fri, Sep 30, 2005 at 01:34:01PM +0200, Sascha Reissner wrote:
> eth1.11 is the same physical device as eth1.

Doesn't matter here.

> use eth1 in your rule and you are fine.

Bad advice. eth1 is most probably a completely different IP network.

> netfiler does IMHO not support filtering by logical interface.

It does. I do, however, not know why the original poster's commandline
is not accepted as it seems to be OK on first sight.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Re: Iptables and vlan interfaces

[Marcin Giedz]

Dnia piątek, 30 września 2005 13:34, Sascha Reissner napisał:
> sebastian.ionita@focomunicatii.ro wrote:
> > Why doesn't iptables works with vlans interfaces?
> > iptables -t mangle -A FORWARD -i eth0 -o eth1.11 -j MARK --set-mark 4
> > Gives me the error:
> > host/network eth1.11 not found.
> > I'm running kernel version 2.4.27. with iptables 1.2.9
> > The eth1.11 exists works perfectly.
> > Seby,
>
> eth1.11 is the same physical device as eth1. use eth1 in your rule and
> you are fine. netfiler does IMHO not support filtering by logical
> interface.

It does and it works excellent. 

here is short example:
/usr/local/sbin/iptables -A FORWARD -i eth0.119 -p tcp -j ACCEPT -m state 
--state NEW -m multiport --destination-port $TCP_FORWARD1
/usr/local/sbin/iptables -A FORWARD -i eth0.119 -p tcp -j ACCEPT -m state 
--state NEW -m multiport --destination-port $TCP_FORWARD2

For me it seems like eth1.11 is not present on your system. What do get with 
"ifconfig"? 

Marcin

Re: Iptables and vlan interfaces

[Henrik Nordstrom]

On Fri, 30 Sep 2005 sebastian.ionita@focomunicatii.ro wrote:

> Why doesn't iptables works with vlans interfaces? 
> iptables -t mangle -A FORWARD -i eth0 -o eth1.11 -j MARK --set-mark 4
> Gives me the error:
> host/network eth1.11 not found.

Sounds like there may be a bug in your iptables command.

Are you sure the command line given above is what you tried to use? The 
error seems to suggest a -s/-d option was used instead of -o.

Regards
Henrik

Re: Iptables and vlan interfaces

[sebastian.ionita]

Henrik Nordstrom writes: 

> On Fri, 30 Sep 2005 sebastian.ionita@focomunicatii.ro wrote: 
> 
>> Why doesn't iptables works with vlans interfaces? iptables -t mangle -A 
>> FORWARD -i eth0 -o eth1.11 -j MARK --set-mark 4
>> Gives me the error:
>> host/network eth1.11 not found.
> 
> Sounds like there may be a bug in your iptables command. 
> 
> Are you sure the command line given above is what you tried to use? The 
> error seems to suggest a -s/-d option was used instead of -o.

You are right .. it was my mistake .. :)). In the shell i typed the wrong 
command, but when I wrote the e-mail I write the correct commnad. Sorry for 
that. 

Seby, 

Re: Iptables and vlan interfaces

[/dev/rob0]

On Friday 2005-September-30 07:54, sebastian.ionita@focomunicatii.ro wrote:
> > On Fri, 30 Sep 2005 sebastian.ionita@focomunicatii.ro wrote:
> >> Why doesn't iptables works with vlans interfaces? iptables -t
> >> mangle -A FORWARD -i eth0 -o eth1.11 -j MARK --set-mark 4
> >> Gives me the error:
> >> host/network eth1.11 not found.
> >
> > Sounds like there may be a bug in your iptables command.
> >
> > Are you sure the command line given above is what you tried to use?
> > The error seems to suggest a -s/-d option was used instead of -o.
>
> You are right .. it was my mistake .. :)). In the shell i typed the
> wrong command, but when I wrote the e-mail I write the correct

Hmmm, I had always thought you couldn't use virtual interfaces.
# iptables -vI INPUT -i eth0:101
Warning: wierd character in interface `eth0:101' (No aliases, :, ! or *).
  all opt -- in eth0:101 out *  0.0.0.0/0  -> 0.0.0.0/0
# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 54651 packets, 5325K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  eth0:101 *       0.0.0.0/0            0.0.0.0/0
  12M 4929M State      all  --  *      *       0.0.0.0/0            0.0.0.0/0
55325   12M Outside    all  --  *      *      !192.168.0.0/19       0.0.0.0/0

Why the warning (with "weird" misspelled, no less)? I ping the IP
address for eth0:101, check -vnL again, and the packet counters are
still zero. Apparently the rule is accepted but the kernel cannot use
it.

eth0:101 was made using ifconfig(8), which demands the real interface
name and a colon as prefix to an alias. I tried making another one
using ip(8):
    ip ad ad 192.168.6.78 label eth0.dl dev eth0
ip(8) only seems to want the real interface name. I inserted the rule
without the warning. I inserted a second rule to count --icmp-type 8
and pinged that IP from another host. The ICMP rule packet counters
incremented exactly one for each ping, but the eth0.dl rule never did.

What's the truth here? Is there something needed in the kernel?
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: Iptables and vlan interfaces

[Marc Haber]

On Fri, Sep 30, 2005 at 08:39:15AM -0500, /dev/rob0 wrote:
> Hmmm, I had always thought you couldn't use virtual interfaces.
> # iptables -vI INPUT -i eth0:101

You are obviously missing the BIG difference between an alias
interface and an interface connected to a VLAN.

Please refrain from giving advice if you do not _EXACTLY_ know that
what you say is correct.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Re: Iptables and vlan interfaces

[/dev/rob0]

On Friday 2005-September-30 08:41, Marc Haber wrote:
> On Fri, Sep 30, 2005 at 08:39:15AM -0500, /dev/rob0 wrote:
> > Hmmm, I had always thought you couldn't use virtual interfaces.
> > # iptables -vI INPUT -i eth0:101
>
> You are obviously missing the BIG difference between an alias
> interface and an interface connected to a VLAN.

Obviously!

> Please refrain from giving advice if you do not _EXACTLY_ know that
> what you say is correct.

Please try to understand the difference between "giving advice" and 
"asking a question."
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: Iptables and vlan interfaces

[Marc Haber]

On Fri, Sep 30, 2005 at 08:55:11AM -0500, /dev/rob0 wrote:
> On Friday 2005-September-30 08:41, Marc Haber wrote:
> > Please refrain from giving advice if you do not _EXACTLY_ know that
> > what you say is correct.
> 
> Please try to understand the difference between "giving advice" and 
> "asking a question."

I apologize. I got you confused with the guy who suggested removing
the VLAN identifier and establishing the rule on the physical
interface (which is something _very_ different).

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Re: Iptables and vlan interfaces

[Henrik Nordstrom]

On Fri, 30 Sep 2005, /dev/rob0 wrote:

> Hmmm, I had always thought you couldn't use virtual interfaces.
> # iptables -vI INPUT -i eth0:101

The above is not a virtual interface like VLAN interfaces are, only a 
labelled IP address on eth0.

   /sbin/ip addr show

will give you a quite good picture of these things.

to make your life saner I recommend unlearning ifconfig and instead learn 
to use the ip command from iproute. ifconfig only confuses things..

This difference is also seen in netstat -i.

Regards
Henrik

Re: Iptables and vlan interfaces

[Aseem Rastogi]

i have been following this post rather keenly. it now seems to have died 
down. but still i am not able to understand what is a vlan interface. 
can somebody please give me some pointer where i can read about this. 
vlan i thought is a l2 concept and should have nothing to do with l3.

thanks in advance.

regards,
aseem.

Henrik Nordstrom wrote:

> On Fri, 30 Sep 2005, /dev/rob0 wrote:
>
>> Hmmm, I had always thought you couldn't use virtual interfaces.
>> # iptables -vI INPUT -i eth0:101
>
>
> The above is not a virtual interface like VLAN interfaces are, only a 
> labelled IP address on eth0.
>
>   /sbin/ip addr show
>
> will give you a quite good picture of these things.
>
> to make your life saner I recommend unlearning ifconfig and instead 
> learn to use the ip command from iproute. ifconfig only confuses things..
>
> This difference is also seen in netstat -i.
>
> Regards
> Henrik
>
>


-- 
The end is always good. If it's not good, it's not the end.

Re: Iptables and vlan interfaces

[Marc Haber]

On Mon, Oct 03, 2005 at 12:18:11PM +0530, Aseem Rastogi wrote:
> i have been following this post rather keenly. it now seems to have died 
> down. but still i am not able to understand what is a vlan interface. 
> can somebody please give me some pointer where i can read about this. 
> vlan i thought is a l2 concept and should have nothing to do with l3.

http://en.wikipedia.org/wiki/Vlan might be a good start.

While VLANs are basically a layer 2 concept, you somehow need to reach
them from upper layers. This is accomplished by having "virtual
interfaces" which are "connected" to the VLAN and feel just like a
physical interface on a physical LAN from the software side.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Re: Iptables and vlan interfaces

[Aseem Rastogi]

i understand vlans. but how is a vlan network interface different from a 
normal eth interface as far as higher layer protocols are concerned? or 
for that matter of fact how is this different from even l2 perspective. 
only difference is the broadcast domain. right ?

also, if somebody can give me an example of ifconfig output for vlan 
interface, that will be helpful.

thanks.

Marc Haber wrote:

>On Mon, Oct 03, 2005 at 12:18:11PM +0530, Aseem Rastogi wrote:
>
>>i have been following this post rather keenly. it now seems to have died 
>>down. but still i am not able to understand what is a vlan interface. 
>>can somebody please give me some pointer where i can read about this. 
>>vlan i thought is a l2 concept and should have nothing to do with l3.
>>
>
>http://en.wikipedia.org/wiki/Vlan might be a good start.
>
>While VLANs are basically a layer 2 concept, you somehow need to reach
>them from upper layers. This is accomplished by having "virtual
>interfaces" which are "connected" to the VLAN and feel just like a
>physical interface on a physical LAN from the software side.
>
>Greetings
>Marc
>


-- 
The end is always good. If it's not good, it's not the end.

Re: Iptables and vlan interfaces

[Marc Haber]

On Mon, Oct 03, 2005 at 02:25:11PM +0530, Aseem Rastogi wrote:
> i understand vlans. but how is a vlan network interface different from a 
> normal eth interface as far as higher layer protocols are concerned?

It isn't. Looks like a normal ethernet interface.

> also, if somebody can give me an example of ifconfig output for vlan 
> interface, that will be helpful.

ifconfig output is nearly never helpful when a network setup on Linux
is non-trivial. ip output is much better.

2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0f:20:d0:07:e0 brd ff:ff:ff:ff:ff:ff
    inet 10.2.100.94/27 brd 10.2.100.95 scope global dotqa
    inet6 fe80::20f:20ff:fed0:7e0/64 scope link
       valid_lft forever preferred_lft forever

That's a physical interface

13: eth0.101: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
    link/ether 00:0f:20:d0:07:e0 brd ff:ff:ff:ff:ff:ff
    inet 10.1.2.1/24 brd 10.1.2.255 scope global int101:02018
    inet6 fe80::20f:20ff:fed0:7e0/64 scope link
       valid_lft forever preferred_lft forever

And that's an interface "connected" to a VLAN.

You can see the relation between a VLAN interface, the VLAN ID and the
physical interface by looking at /proc/net/vlan/config:

eth0.101      | 101  | eth0

I would like to recommend renaming interfaces (using ip link set dev
old_name name new_name) to reflect their actual usage.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Re: Iptables and vlan interfaces

[Henrik Nordstrom]

On Mon, 3 Oct 2005, Aseem Rastogi wrote:

> i have been following this post rather keenly. it now seems to have died 
> down. but still i am not able to understand what is a vlan interface.

VLANs is IEEE 802.1Q, dividing Ethernet into 4097 virtual Ethernet 
networks. (the normal untagged network + 4096 .1q tagged networks = 4097)

VLAN is normally only used within and between switches, but it is also 
possible to use between the switch and a server/host allowing the server 
to participate in multiple VLANs on the switch.

This is configured on the Linux side using vconfig, creating one vritual 
network interface per such virtual Ethernet being used between the server 
and the switch. The virtual interfaces created by vconfig is true virtual 
interfaces and can even have a different MAC address than the physical 
interface if you like (defaults to use the same MAC however). These 
virtual interfaces is named like physicalinterface.vlannumber (i.e. 
eth0.45 for the VLAN with the .1q tag 45 on the eth0 physical connection).

More information on the VLAN support in Linux can be found from 
http://www.candelatech.com/~greear/vlan.html. The needed software is also 
available in most distributions (the kernel driver is available in the 
kernel since many years back).

> can somebody please give me some pointer where i can read about this. 
> vlan i thought is a l2 concept and should have nothing to do with l3.

vlan is indeed purely a l2 concept, using a slightly different Ethernet 
frame format than normal Ethernet allowing for multiple virtual Ethernet 
networks to be transported over the same cable.

IP-aliases on the other hand is purely a l3 concept, allowing you to have 
more than one IP address on the same interface, optionally labelled with a 
name (interface:name) for administrative purposes. The (optional) label on 
an IP-alias has no significant meaning other than as a reminder to the 
administrator, and to produce confusing results when using ifconfig 
(ifconfig has the odd habit of displaying the named ip-aliases as if they 
were separate interfaces).

Regards
Henrik

Re: Iptables and vlan interfaces

[Marc Haber]

On Mon, Oct 03, 2005 at 11:16:06AM +0200, Henrik Nordstrom wrote:
> The virtual interfaces created by vconfig is true virtual 
> interfaces and can even have a different MAC address than the physical 
> interface if you like (defaults to use the same MAC however).

Gee, I didn't know that. How is the different MAC address set? Naively
with ip link set dev eth0.101 address <new-mac>? Does this work with
all drivers, will it give a performance impact (such as requiring the
phyiscal interface to run promisc)?

> These 
> virtual interfaces is named like physicalinterface.vlannumber (i.e. 
> eth0.45 for the VLAN with the .1q tag 45 on the eth0 physical connection).

I strongly recommend using ip link set dev old-name name new-name to
rename the interface to something less complicated. Having interfaces
named from usage (like unt0 for untrusted, per0 for perimeter network,
int0 for internal network and so on) brings new sense into the
--in-interface int+ notation of iptables.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Re: Iptables and vlan interfaces

[Henrik Nordstrom]

On Mon, 3 Oct 2005, Marc Haber wrote:

> Gee, I didn't know that. How is the different MAC address set? Naively
> with ip link set dev eth0.101 address <new-mac>?

Yes.

> Does this work with all drivers

Nearly all.

> will it give a performance impact (such as requiring the phyiscal 
> interface to run promisc)?

It will most likely make the physical interface run in promiscious mode 
yes.

Some NIC chips support having MAC filters accepting more than one MAC and 
on these it is possible the interface does not go into promiscious mode, 
but most NICs do not have this capability.

But in either case this is rarely a performance impact these days as the 
traffic is heavily filtered by the network switch anyway and very few 
frames is seen on the physical network connection with another destination 
MAC.


While talking on this there is also another very interesting virtual 
network inteface type available for Linux, namely MAC based VLANs. This 
allows you to create multiple virtual network interfaces each with their 
own MAC but sharing the same physical connection. This is not in the 
standard VLAN driver of Linux but available from the same page as vconfig 
mentioned before. Combined with the arp_filter functionality this can 
provide quite interesting solutions to virtual hosting, router redundancy 
etc.

Regards
Henrik

Re: Iptables and vlan interfaces

[Aseem Rastogi]

thanks all for the info.

regards,
aseem.

Henrik Nordstrom wrote:

> On Mon, 3 Oct 2005, Aseem Rastogi wrote:
>
>> i have been following this post rather keenly. it now seems to have 
>> died down. but still i am not able to understand what is a vlan 
>> interface.
>
>
> VLANs is IEEE 802.1Q, dividing Ethernet into 4097 virtual Ethernet 
> networks. (the normal untagged network + 4096 .1q tagged networks = 4097)
>
> VLAN is normally only used within and between switches, but it is also 
> possible to use between the switch and a server/host allowing the 
> server to participate in multiple VLANs on the switch.
>
> This is configured on the Linux side using vconfig, creating one 
> vritual network interface per such virtual Ethernet being used between 
> the server and the switch. The virtual interfaces created by vconfig 
> is true virtual interfaces and can even have a different MAC address 
> than the physical interface if you like (defaults to use the same MAC 
> however). These virtual interfaces is named like 
> physicalinterface.vlannumber (i.e. eth0.45 for the VLAN with the .1q 
> tag 45 on the eth0 physical connection).
>
> More information on the VLAN support in Linux can be found from 
> http://www.candelatech.com/~greear/vlan.html. The needed software is 
> also available in most distributions (the kernel driver is available 
> in the kernel since many years back).
>
>> can somebody please give me some pointer where i can read about this. 
>> vlan i thought is a l2 concept and should have nothing to do with l3.
>
>
> vlan is indeed purely a l2 concept, using a slightly different 
> Ethernet frame format than normal Ethernet allowing for multiple 
> virtual Ethernet networks to be transported over the same cable.
>
> IP-aliases on the other hand is purely a l3 concept, allowing you to 
> have more than one IP address on the same interface, optionally 
> labelled with a name (interface:name) for administrative purposes. The 
> (optional) label on an IP-alias has no significant meaning other than 
> as a reminder to the administrator, and to produce confusing results 
> when using ifconfig (ifconfig has the odd habit of displaying the 
> named ip-aliases as if they were separate interfaces).
>
> Regards
> Henrik
>


-- 
The end is always good. If it's not good, it's not the end.

Re: Iptables and vlan interfaces

[Aseem Rastogi]

Okay.

Does it mean that if I connect my machine ethernet port to another 
machine and configure a vlan interface with that port as physical port 
and then add route to another machine through that vlan interface (I 
need to do this to use vlan interface right ? ), then all packets sent 
out of it will be tagged by whatever tag i mention in vconfig?

I did't know about vlan support in linux. This can be a good testing 
platform for L2 applications without requiring special boxes.

Henrik Nordstrom wrote:

> On Mon, 3 Oct 2005, Aseem Rastogi wrote:
>
>> i have been following this post rather keenly. it now seems to have 
>> died down. but still i am not able to understand what is a vlan 
>> interface.
>
>
> VLANs is IEEE 802.1Q, dividing Ethernet into 4097 virtual Ethernet 
> networks. (the normal untagged network + 4096 .1q tagged networks = 4097)
>
> VLAN is normally only used within and between switches, but it is also 
> possible to use between the switch and a server/host allowing the 
> server to participate in multiple VLANs on the switch.
>
> This is configured on the Linux side using vconfig, creating one 
> vritual network interface per such virtual Ethernet being used between 
> the server and the switch. The virtual interfaces created by vconfig 
> is true virtual interfaces and can even have a different MAC address 
> than the physical interface if you like (defaults to use the same MAC 
> however). These virtual interfaces is named like 
> physicalinterface.vlannumber (i.e. eth0.45 for the VLAN with the .1q 
> tag 45 on the eth0 physical connection).
>
> More information on the VLAN support in Linux can be found from 
> http://www.candelatech.com/~greear/vlan.html. The needed software is 
> also available in most distributions (the kernel driver is available 
> in the kernel since many years back). \




>
>
>> can somebody please give me some pointer where i can read about this. 
>> vlan i thought is a l2 concept and should have nothing to do with l3.
>
>
> vlan is indeed purely a l2 concept, using a slightly different 
> Ethernet frame format than normal Ethernet allowing for multiple 
> virtual Ethernet networks to be transported over the same cable.
>
> IP-aliases on the other hand is purely a l3 concept, allowing you to 
> have more than one IP address on the same interface, optionally 
> labelled with a name (interface:name) for administrative purposes. The 
> (optional) label on an IP-alias has no significant meaning other than 
> as a reminder to the administrator, and to produce confusing results 
> when using ifconfig (ifconfig has the odd habit of displaying the 
> named ip-aliases as if they were separate interfaces).
>
> Regards
> Henrik
>


-- 
The end is always good. If it's not good, it's not the end.

Re: Iptables and vlan interfaces

[Marc Haber]

On Mon, Oct 03, 2005 at 03:35:11PM +0530, Aseem Rastogi wrote:
> Does it mean that if I connect my machine ethernet port to another 
> machine and configure a vlan interface with that port as physical port 
> and then add route to another machine through that vlan interface (I 
> need to do this to use vlan interface right ? ), then all packets sent 
> out of it will be tagged by whatever tag i mention in vconfig?

Yes, with the conclusion that other machines not configured for that
vlan do not see the packets.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Re: Iptables and vlan interfaces

[Henrik Nordstrom]

On Mon, 3 Oct 2005, Aseem Rastogi wrote:

> Does it mean that if I connect my machine ethernet port to another 
> machine and configure a vlan interface with that port as physical port 
> and then add route to another machine through that vlan interface (I 
> need to do this to use vlan interface right ? ), then all packets sent 
> out of it will be tagged by whatever tag i mention in vconfig?

Yes.

Any packets sent out on that virtual interface will be sent tagged with 
the vlan tag. This is done in L2 and not protocol dependent in any manner.

Regards
Henrik

RE: Iptables and vlan interfaces

[Baake, Matthias]

hello there,

the filtering works in the _filter_ table.
afaik there is no support to route logical devices at least in the nat table!
maybe the same is applied for the mangle table.

greetings 

/matthias

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of 
> Marcin Giedz
> Sent: Friday, September 30, 2005 1:56 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: Iptables and vlan interfaces
> 
> 
> Dnia piątek, 30 września 2005 13:34, Sascha Reissner napisał:
> > sebastian.ionita@focomunicatii.ro wrote:
> > > Why doesn't iptables works with vlans interfaces?
> > > iptables -t mangle -A FORWARD -i eth0 -o eth1.11 -j MARK 
> --set-mark 4
> > > Gives me the error:
> > > host/network eth1.11 not found.
> > > I'm running kernel version 2.4.27. with iptables 1.2.9
> > > The eth1.11 exists works perfectly.
> > > Seby,
> >
> > eth1.11 is the same physical device as eth1. use eth1 in 
> your rule and
> > you are fine. netfiler does IMHO not support filtering by logical
> > interface.
> 
> It does and it works excellent. 
> 
> here is short example:
> /usr/local/sbin/iptables -A FORWARD -i eth0.119 -p tcp -j 
> ACCEPT -m state 
> --state NEW -m multiport --destination-port $TCP_FORWARD1
> /usr/local/sbin/iptables -A FORWARD -i eth0.119 -p tcp -j 
> ACCEPT -m state 
> --state NEW -m multiport --destination-port $TCP_FORWARD2
> 
> For me it seems like eth1.11 is not present on your system. 
> What do get with 
> "ifconfig"? 
> 
> Marcin
> 
> 

RE: Iptables and vlan interfaces

[Baake, Matthias]

hm i have to correct my previous post..
i copied the discussed rule and it works fine...
there must be an other mistake maybe something missing in the kern

greets

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of Henrik
> Nordstrom
> Sent: Friday, September 30, 2005 2:45 PM
> To: sebastian.ionita@focomunicatii.ro
> Cc: netfilter@lists.netfilter.org
> Subject: Re: Iptables and vlan interfaces
> 
> 
> On Fri, 30 Sep 2005 sebastian.ionita@focomunicatii.ro wrote:
> 
> > Why doesn't iptables works with vlans interfaces? 
> > iptables -t mangle -A FORWARD -i eth0 -o eth1.11 -j MARK 
> --set-mark 4
> > Gives me the error:
> > host/network eth1.11 not found.
> 
> Sounds like there may be a bug in your iptables command.
> 
> Are you sure the command line given above is what you tried 
> to use? The 
> error seems to suggest a -s/-d option was used instead of -o.
> 
> Regards
> Henrik
> 
>