RE: iptables and virtual NIC

RE: iptables and virtual NIC

[Kumar Swamy]

Hello folks, 

I am a newbie to iptables and experimenting some stuff.  So please excuse me, if this has already been discussed.

I have a linux gateway which has a physical interface (eth0 ) and multiple virtual interfaces ( eth0:1, eth0:2), each has dynamic IP configured.
I want to create an iptables rule for  IP masquerading on eth0 , but packets going out on other interfaces should be left untouched. Is this possible? 

I tried 
-A POSTROUTING -o eth0 -j MASQUERADE
But it seems packet going out on virtual NICs ( aliases) are also hitting this rule. 
Is there any way to solve this problem without using SNAT? Since I have IP address configured dynamically, there is no easy way to do SNAT. 

Thanks


'Like' us on Facebook for exclusive content and other resources on all Barracuda Networks solutions.
Visit http://barracudanetworks.com/facebook

RE: iptables and virtual NIC

[Jan Engelhardt]

On Thursday 2011-07-28 12:05, Kumar Swamy wrote:

>Hello folks, 
>
>I am a newbie to iptables and experimenting some stuff.  So please excuse me, if this has already been discussed.
>
>I have a linux gateway which has a physical interface (eth0 ) and multiple virtual interfaces ( eth0:1, eth0:2), each has dynamic IP configured.
>I want to create an iptables rule for  IP masquerading on eth0 , but 
>packets going out on other interfaces should be left untouched. Is this 
>possible?

Those are no interfaces. You are being deceived. My hint -
stop using ifconfig.

Re: iptables and virtual NIC

[Pandu Poluan]

On Thu, Jul 28, 2011 at 17:05, Kumar Swamy <kswamy@barracuda.com> wrote:
> Hello folks,
>
> I am a newbie to iptables and experimenting some stuff.  So please excuse me, if this has already been discussed.
>
> I have a linux gateway which has a physical interface (eth0 ) and multiple virtual interfaces ( eth0:1, eth0:2), each has dynamic IP configured.
> I want to create an iptables rule for  IP masquerading on eth0 , but packets going out on other interfaces should be left untouched. Is this possible?
>
> I tried
> -A POSTROUTING -o eth0 -j MASQUERADE
> But it seems packet going out on virtual NICs ( aliases) are also hitting this rule.
> Is there any way to solve this problem without using SNAT? Since I have IP address configured dynamically, there is no easy way to do SNAT.
>

How does the routing work? I.e., when does a packet exits through eth0
or eth0:1 or eth0:2?

Use the same routing criteria on the iptables rule.

Rgds,

-- 
Pandu E Poluan
~ IT Optimizer ~

 • Blog : http://pepoluan.tumblr.com
 • Linked-In : http://id.linkedin.com/in/pepoluan

Re: iptables and virtual NIC

[Jan Engelhardt]

On Thursday 2011-07-28 14:00, Pandu Poluan wrote:

>On Thu, Jul 28, 2011 at 17:05, Kumar Swamy <kswamy@barracuda.com> wrote:
>> Hello folks,
>>
>> I am a newbie to iptables and experimenting some stuff.  So please excuse me, if this has already been discussed.
>>
>> I have a linux gateway which has a physical interface (eth0 ) and multiple virtual interfaces ( eth0:1, eth0:2), each has dynamic IP configured.
>> I want to create an iptables rule for  IP masquerading on eth0 , but packets going out on other interfaces should be left untouched. Is this possible?
>>
>> I tried
>> -A POSTROUTING -o eth0 -j MASQUERADE
>> But it seems packet going out on virtual NICs ( aliases) are also hitting this rule.
>> Is there any way to solve this problem without using SNAT? Since I have IP address configured dynamically, there is no easy way to do SNAT.
>>
>
>How does the routing work? I.e., when does a packet exits through eth0
>or eth0:1 or eth0:2?

Routing only accepts eth0 because, again, eth0:1 as shown by braindead 
programs is not an interface.

Re: iptables and virtual NIC

[Tyler J. Wagner]

On 2011-07-28 14:00, Pandu Poluan wrote:
> How does the routing work? I.e., when does a packet exits through eth0
> or eth0:1 or eth0:2?

Pandu,

eth0 and eth0:1 are the same interface. The :1 suffix is just an alias
associated with a secondary IP address. There is no difference internally.

If you want to behave differently based on different aliases, you must
define rules by IP.

Regards,
Tyler

-- 
"A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders, give
orders, cooperate, act alone, solve equations, analyze a new problem,
pitch manure, program a computer, cook a tasty meal, fight efficiently,
die gallantly. Specialization is for insects."
   -- Lazarus Long, "Time Enough for Love", by Robert A. Heinlein

Re: iptables and virtual NIC

[Michal Soltys]

On 11-07-28 12:05, Kumar Swamy wrote:
> Hello folks,
>
> I am a newbie to iptables and experimenting some stuff.  So please excuse me, if this has already been discussed.
>
> I have a linux gateway which has a physical interface (eth0 ) and multiple virtual interfaces ( eth0:1, eth0:2), each has dynamic IP configured.
> I want to create an iptables rule for  IP masquerading on eth0 , but packets going out on other interfaces should be left untouched. Is this possible?
>
> I tried
> -A POSTROUTING -o eth0 -j MASQUERADE
> But it seems packet going out on virtual NICs ( aliases) are also hitting this rule.
> Is there any way to solve this problem without using SNAT? Since I have IP address configured dynamically, there is no easy way to do SNAT.
>
> Thanks

In addition to what Jan said about eth:N

MASQUERADE target picks only a primary addresses with global scope. Make 
sure during address assignment (you can adjust what dhclient or dhcpcd 
does with shell scripting) that only one of the addresses have global 
scope (and it's the primary address).