Why does interface specific iptables rule not work
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Why does interface specific iptables rule not work
I have a RHEL6 box with two NICs where I plan to install oracle database and wish to use eth0 as a dedicated interface for the database traffic and eth1 for everything else. I have assigned static IPs 192.168.0.10 and 192.168.0.11 to eth0 and eth1 respectively. The default iptables rules on RHEL6 initially allow all established traffic on all interfaces then allows new connections to port 22 and then rejects everything else. I added a similar rule like port 22 for port 1521 and i was able to connect over ssh and oracle client to both eth0 and eth1. When I added the extra option of "-i eth1" to port 22 rule and "-i eth0" to port 22 rule, ssh was unable to connect to either interface. Ultimately I modified the rules to check for the destination IP instead of mentioning interface. Now my question is why do the rules not work when configured against specific interfaces ?
Here's My rules of what I was trying to do
Code:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
The above configuration didn't work so I had to modify the rules to check destination IP
Code:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dst 192.168.0.11 --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dst 192.168.0.10 --dport 1521 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
Maybe on the 1, you have to duplicate
-A INPUT -m state --state ESTABLISHED,RELATED
for both interfaces eg
Code:
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
edit,
You could set the eth1 IP at the ListenAddress directive in /etc/ssh/sshd_config
Also, " iptables -L -v -n " can be usefull
But the man page states that without -i the rule will apply to all interfaces.
Code:
[!] -i, --in-interface name
Name of an interface via which a packet was received (only for packets entering the INPUT, FORWARD and PREROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match.
And making sshd listen on eth1 doesn't prevent any other traffic from arriving at eth0
And making sshd listen on eth1 doesn't prevent any other traffic from arriving at eth0
No, but the SSH connection problem can be at software level, not at kernel packet handling level
Eg, with no address specified for ListenAddress in sshd_config, how can you know sshd will listen to the right address (IP of eth1, 192.168.0.11)? By default it will listen to one address if you don't specify multiple ListenAddress lines.
No, but the SSH connection problem can be at software level, not at kernel packet handling level
Eg, with no address specified for ListenAddress in sshd_config, how can you know sshd will listen to the right address (IP of eth1, 192.168.0.11)? By default it will listen to one address if you don't specify multiple ListenAddress lines.
Well in it's initial state, i was able to connect over ssh using putty to both IP addresses.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.