LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-12-2005, 06:29 PM   #1
tvynr
Member
 
Registered: Apr 2004
Distribution: Debian
Posts: 143

Rep: Reputation: 15
Question about iptables and multiple external IPs


I think I must have missed something somewhere. I am currently trying to set up a firewall/router/traffic-shaper box using seven external IP addresses. They're set up on eth0, eth0:0, eth0:1, ..., eth0:5.

I'm writing an iptables firewall script to handle the job and I'm running into a couple of problems. For example, once when using the "-i" flag, I was told by iptables:

"Warning: wierd character in interface `eth0:0' (No aliases, :, ! or *)."

Now... the interface's name has a ":" in it. Does this mean that if I apply a rule to eth0, it will be true for all eth0:n? For example, adding the line:

$ipt -A $chain -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

will accept packets for established and related connections on all of the eth0 interfaces?

I'm very confused by the presence of eth0:0 through eth0:5. Are they just placeholders in the output of ifconfig? Are they actually interfaces? What are they?

Thanks for reading; I hope it wasn't too muddled.
 
Old 10-12-2005, 07:57 PM   #2
pddm
Member
 
Registered: Sep 2005
Distribution: Slackware 13.37
Posts: 112

Rep: Reputation: 15
1. I hope you are not trying to assign a complete block of IP Adresses to eth0.
Are the IP addresses cosecutive like 216.239.59.138-142?

If the IP addresses are lik this, just assign one of them to eth0.

If they are not, what would you like to achieve; usually it is better to have 1 IP per NIC (Network Interface Card).


2. if you have different IP blocks that need to be configured on 1 NIC, the 1st IP address goes on the playn NIC name (eth0), then the second goes on eth0:1 etc. etc.

Do not use eth0:0

3. The number behind the : identifies additional IP addresses assigned to the card beside the default one.
Example:
eth0 10.0.0.1 255.255.255.0
eth0:1 192.168.1.1 255.255.255.0
eth0:2 192.168.100.1 255.255.255.0

4. Yes, if you apply a rule to eth0 it will also affect all additional IPs on this NIC. This is why it is easier to manage rules per NIC.
 
Old 10-12-2005, 08:48 PM   #3
tvynr
Member
 
Registered: Apr 2004
Distribution: Debian
Posts: 143

Original Poster
Rep: Reputation: 15
pddm,

1)
Thank you for your response. Actually, I am assigning a complete block of IPs to eth0 and they are mostly consecutive. They are A.B.C.19, A.B.C.153, A.B.C.154, ..., A.B.C.158. I have them on eth0, eth0:0, eth0:1, ..., eth0:5, respectively.

I'm not sure how assigning only one IP in a block would be effective. We do own all seven IPs and have specific uses in mind for each of them. I have just successfully managed to get all traffic from my desktop to come from A.B.C.153. My roommate's desktop is on A.B.C.154 and other, unspecified traffic is using our original IP (A.B.C.19).

Primarily, we are trying to allow machines on the inside of the network to have distinct IP addresses on the outside network. Additionally, we want the ability to shuffle things around in special cases. For example, we can't get eight computers into a Diablo II Battle.Net game because the server only allows four connections per IP address... so I intend to have the firewall choose a distinct IP address for each connection created by a computer on the LAN, if possible, thus dodging that constraint. The fact that the latter six IP addresses are in a block is purely coincidental.

2)
Why shouldn't I use eth0:0, out of curiosity? It seems to have taken the IP just fine and, when researching how to assign multiple IP addresses to one card, I ran into a post which suggested using it. Is there some danger of conflict with eth0?

The output of my ifconfig looks something like this:

Code:
eth0      Link encap:Ethernet  HWaddr UU:VV:WW:XX:YY:ZZ
          inet addr:A.B.C.19  Bcast:A.B.C.127  Mask:255.255.255.128
{snip}
          Interrupt:11 Base address:0xd800

eth0:0    Link encap:Ethernet  HWaddr UU:VV:WW:XX:YY:ZZ
          inet addr:A.B.C.153  Bcast:A.B.C.159  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:11 Base address:0xd800

eth0:1    Link encap:Ethernet  HWaddr UU:VV:WW:XX:YY:ZZ
          inet addr:A.B.C.154  Bcast:A.B.C.159  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:11 Base address:0xd800

eth0:2    Link encap:Ethernet  HWaddr UU:VV:WW:XX:YY:ZZ
          inet addr:A.B.C.155  Bcast:A.B.C.159  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:11 Base address:0xd800

eth0:3    Link encap:Ethernet  HWaddr UU:VV:WW:XX:YY:ZZ
          inet addr:A.B.C.156  Bcast:A.B.C.159  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:11 Base address:0xd800

eth0:4    Link encap:Ethernet  HWaddr UU:VV:WW:XX:YY:ZZ
          inet addr:A.B.C.157  Bcast:A.B.C.159  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:11 Base address:0xd800

eth0:5    Link encap:Ethernet  HWaddr UU:VV:WW:XX:YY:ZZ
          inet addr:A.B.C.158  Bcast:A.B.C.159  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:11 Base address:0xd800

eth1      Link encap:Ethernet  HWaddr UU:VV:WW:XX:YY:ZZ
          inet addr:192.168.0.131  Bcast:192.168.0.255  Mask:255.255.255.0
{snip}
          Interrupt:10 Base address:0xe800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:77 errors:0 dropped:0 overruns:0 frame:0
          TX packets:77 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:12470 (12.1 Kb)  TX bytes:12470 (12.1 Kb)
Does that look alright?

3)
So eth0:1 isn't treated as a separate interface from eth0:2, then? That's good. It makes working with tc qdisc a lot easier.

4)
I rewrote my firewall script to assume that assigning rules to eth0 was sufficient and it seems to be working. Nonetheless, it's good to hear confirmation of this behavior, as it makes me a lot more confident in the script (which I just threw together today based upon my own limited knowledge).

Thanks for all your help! You've been quite informative and I really appreciate it; after all, I couldn't find any information on this phenomenon (eth0:n) and I didn't even know what it was called or why it was happening.

Much gratitude!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Multiple External IPs with iptables tvynr Linux - Networking 11 11-08-2005 03:31 PM
tc qdisc and multiple external IPs tvynr Linux - Networking 2 10-12-2005 08:49 PM
ADSL and multiple external static IPs adasko Linux - Networking 3 09-15-2005 08:01 PM
dhcp and multiple external IPs inc0gs Linux - Networking 4 06-15-2005 03:27 PM
how to define a specific range of IPs and/or multiple IPs in an iptables rule?... TheHellsMaster Linux - Security 9 09-20-2004 11:06 AM


All times are GMT -5. The time now is 07:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration