Hello Linux People

I am new,

I have a VPS, it has 3 IP addresses assigned to it. eth0 / eth0:0 / eth0:1

I am trying to create firewall rules to stop any communication with 0:0 and 0:1 while only allowing 2 IP address for ssh access and other stuff attached to eth0. This will change but I want to configure access on each IP/nic separately and test as I open up each port to check it is working correctly.

My IPtables conf is below (2 now, top is current bottom is older), what I believe should be happening. INPUT by default is drop unless rules are matched. 3 Chains one for each card, Drop EVERYTHING on 0:0 and 0:1 and allow SSH and 8080 from 2 IPs via eth0. (the below config was a test, the original is right at the bottom without the chain bit, it had the same problem)

My Issue, I am sure the IP tables are working; I can change the way it responds to ping and notice it. However when port scanning eth0:0 and eth:0:1 I am still seeing the port 8080 open if I am running the application. With the rules below I would expect nothing back from eth0:0 and eth0:1 after a port scan since they are meant to drop everything

Now that I am really thinking about it maybe I should not do it on interface but IP?

Also what does the [0:0] bits mean on the filters?

There is a good chance I am just missing something simple, to anyone that helps thank you, if I make any progress I will update

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:nic-eth0-70 - [0:0]
:nic-eth00-66 - [0:0]
:nic-eth01-67 - [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -j nic-eth0-70
-A INPUT -i eth0:0 -j nic-eth00-66
-A INPUT -i eth0:1 -j nic-eth01-67
-A nic-eth0-70 -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 8080 -j ACCEPT
-A nic-eth0-70 -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 8080 -j ACCEPT
-A nic-eth0-70 -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A nic-eth0-70 -s xx.x.x.xx/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A nic-eth00-66 -j DROP
-A nic-eth01-67 -j DROP
COMMIT


-------------- Original

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -s xx.x.x.xx/32 -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -s xx.x.x.xx/32 -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -s xx.x.x.xx/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s xx.x.x.xx/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -j DROP
COMMIT

Aliases aren't really interfaces, so -i eth0 and -i eth0:0 will actually match the same traffic. In this case, it means that all packets are directed to the eth0-70 chain, which allows incoming traffic to ports 22 and 8080.

You'll have to match on destination IP addresses (-d <ip>/32) in order to differentiate between incoming traffic to the various eth0 aliases.