LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-06-2014, 05:10 AM   #1
anindyameister
Member
 
Registered: Oct 2012
Posts: 47

Rep: Reputation: Disabled
Why does interface specific iptables rule not work


I have a RHEL6 box with two NICs where I plan to install oracle database and wish to use eth0 as a dedicated interface for the database traffic and eth1 for everything else. I have assigned static IPs 192.168.0.10 and 192.168.0.11 to eth0 and eth1 respectively. The default iptables rules on RHEL6 initially allow all established traffic on all interfaces then allows new connections to port 22 and then rejects everything else. I added a similar rule like port 22 for port 1521 and i was able to connect over ssh and oracle client to both eth0 and eth1. When I added the extra option of "-i eth1" to port 22 rule and "-i eth0" to port 22 rule, ssh was unable to connect to either interface. Ultimately I modified the rules to check for the destination IP instead of mentioning interface. Now my question is why do the rules not work when configured against specific interfaces ?

Here's My rules of what I was trying to do

Code:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
The above configuration didn't work so I had to modify the rules to check destination IP

Code:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dst 192.168.0.11 --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dst 192.168.0.10 --dport 1521 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
I want to know what I am doing wrong.
 
Old 08-06-2014, 05:37 AM   #2
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 5,388

Rep: Reputation: 398Reputation: 398Reputation: 398Reputation: 398
Maybe on the 1, you have to duplicate
-A INPUT -m state --state ESTABLISHED,RELATED
for both interfaces eg
Code:
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
edit,

You could set the eth1 IP at the ListenAddress directive in /etc/ssh/sshd_config

Also, " iptables -L -v -n " can be usefull

Last edited by keefaz; 08-06-2014 at 05:46 AM.
 
Old 08-06-2014, 08:20 AM   #3
anindyameister
Member
 
Registered: Oct 2012
Posts: 47

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by keefaz View Post
Maybe on the 1, you have to duplicate
-A INPUT -m state --state ESTABLISHED,RELATED
for both interfaces eg
Code:
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
edit,

You could set the eth1 IP at the ListenAddress directive in /etc/ssh/sshd_config

Also, " iptables -L -v -n " can be usefull

But the man page states that without -i the rule will apply to all interfaces.
Code:
 [!] -i, --in-interface name
              Name  of an interface via which a packet was received (only for packets entering the INPUT, FORWARD and PREROUTING chains).  When the "!" argument is used before the interface name, the sense is inverted.  If the interface name ends in a "+", then any interface which  begins with this name will match.  If this option is omitted, any interface name will match.
And making sshd listen on eth1 doesn't prevent any other traffic from arriving at eth0
 
Old 08-06-2014, 08:47 AM   #4
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Arch, Kubuntu
Posts: 1,254

Rep: Reputation: 314Reputation: 314Reputation: 314Reputation: 314
Are the interface names correct, is there any error when you manually invoke command? Like:
Code:
iptables -A INPUT -i eth1 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
I see on Ubuntu there is no error if I pass incorrect interface name, so check it for example by "ifconfig" or "ip".

Last edited by eSelix; 08-06-2014 at 08:50 AM.
 
Old 08-06-2014, 08:55 AM   #5
anindyameister
Member
 
Registered: Oct 2012
Posts: 47

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by eSelix View Post
Are the interface names correct, is there any error when you manually invoke command? Like:
Code:
iptables -A INPUT -i eth1 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
I see on Ubuntu there is no error if I pass incorrect interface name, so check it for example by "ifconfig" or "ip".
ifconfig shows three interfaces "eth0", "eth1" and "lo"
 
Old 08-06-2014, 09:53 AM   #6
grim76
Member
 
Registered: Jun 2007
Distribution: Debian, SLES, Ubuntu
Posts: 308

Rep: Reputation: 50
Can you give us the output of:
Code:
ip addr
 
Old 08-06-2014, 10:03 AM   #7
anindyameister
Member
 
Registered: Oct 2012
Posts: 47

Original Poster
Rep: Reputation: Disabled
Here it is

Code:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:23:7d:33:fa:1c brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.10/24 brd 192.168.0.255 scope global eth0
    inet6 fe80::223:7dff:fe33:fa1c/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:23:7d:33:fa:5c brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.11/24 brd 192.168.0.255 scope global eth1
    inet6 fe80::223:7dff:fe33:fa5c/64 scope link
       valid_lft forever preferred_lft forever
 
Old 08-06-2014, 10:06 AM   #8
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 5,388

Rep: Reputation: 398Reputation: 398Reputation: 398Reputation: 398
Quote:
Originally Posted by anindyameister View Post
And making sshd listen on eth1 doesn't prevent any other traffic from arriving at eth0
No, but the SSH connection problem can be at software level, not at kernel packet handling level

Eg, with no address specified for ListenAddress in sshd_config, how can you know sshd will listen to the right address (IP of eth1, 192.168.0.11)? By default it will listen to one address if you don't specify multiple ListenAddress lines.
 
Old 08-06-2014, 10:10 AM   #9
anindyameister
Member
 
Registered: Oct 2012
Posts: 47

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by keefaz View Post
No, but the SSH connection problem can be at software level, not at kernel packet handling level

Eg, with no address specified for ListenAddress in sshd_config, how can you know sshd will listen to the right address (IP of eth1, 192.168.0.11)? By default it will listen to one address if you don't specify multiple ListenAddress lines.
Well in it's initial state, i was able to connect over ssh using putty to both IP addresses.
 
Old 08-06-2014, 10:15 AM   #10
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 5,388

Rep: Reputation: 398Reputation: 398Reputation: 398Reputation: 398
Quote:
Originally Posted by anindyameister View Post
Well in it's initial state, i was able to connect over ssh using putty to both IP addresses.
You mean with no iptables rules, you can connect with ssh to both addresses?
 
Old 08-06-2014, 10:17 AM   #11
anindyameister
Member
 
Registered: Oct 2012
Posts: 47

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by keefaz View Post
You mean with no iptables rules, you can connect with ssh to both addresses?
Yes. I can connect with no rules and also if I remove the --dst or -i options from the existing rules.
 
Old 08-06-2014, 10:24 AM   #12
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 5,388

Rep: Reputation: 398Reputation: 398Reputation: 398Reputation: 398
Could you log the rejected packet for testing, eg use:
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "[Rejected] "
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
run 'tail -f /var/log/syslog' loggued as root in server and try some ssh connection with a client
 
Old 08-06-2014, 10:58 AM   #13
anindyameister
Member
 
Registered: Oct 2012
Posts: 47

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by keefaz View Post
Could you log the rejected packet for testing, eg use:
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "[Rejected] "
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
run 'tail -f /var/log/syslog' loggued as root in server and try some ssh connection with a client
I added the log statement and what I got was really weird.

Code:
Aug  6 20:08:55 db1 kernel: [Rejected] IN=eth0 OUT= MAC=00:23:7d:33:fa:1c:00:22:4d:a5:56:fd:08:00 SRC=192.168.0.30 DST=192.168.0.10 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=9204 DF PROTO=TCP SPT=60915 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 
Aug  6 20:08:46 db1 kernel: [Rejected] IN=eth0 OUT= MAC=00:23:7d:33:fa:1c:00:22:4d:a5:56:fd:08:00 SRC=192.168.0.30 DST=192.168.0.11 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=9149 DF PROTO=TCP SPT=60912 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0
even though the destination addresses are different, they are received on eth0.

And eth1 is receiving only the below traffic one in a while

Code:
Aug  6 20:15:09 db1 kernel: [Rejected] IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:23:7d:33:65:ac:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
I tried running arping from another box and it returned the same MAC for both IPs. Now i'm confused.

Code:
# arping 192.168.0.10
ARPING 192.168.0.10 from 192.168.0.191 eth0
Unicast reply from 192.168.0.10 [00:23:7D:33:FA:1C]  0.725ms
Unicast reply from 192.168.0.10 [00:23:7D:33:FA:1C]  0.688ms

# arping 192.168.0.11
ARPING 192.168.0.11 from 192.168.0.191 eth0
Unicast reply from 192.168.0.11 [00:23:7D:33:FA:1C]  0.796ms
Unicast reply from 192.168.0.11 [00:23:7D:33:FA:1C]  0.689ms
 
Old 08-06-2014, 11:07 AM   #14
anindyameister
Member
 
Registered: Oct 2012
Posts: 47

Original Poster
Rep: Reputation: Disabled
Here is my routing table.

Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
link-local      *               255.255.0.0     U     1002   0        0 eth0
link-local      *               255.255.0.0     U     1003   0        0 eth1
default         192.168.0.1    0.0.0.0          UG    0      0        0 eth0
 
Old 08-06-2014, 11:40 AM   #15
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 6 (pre-systemd)
Posts: 2,665

Rep: Reputation: 710Reputation: 710Reputation: 710Reputation: 710Reputation: 710Reputation: 710Reputation: 710
If you want to use two NICs on the same subnet, you need to do policy based routing using the iproute2 tools. iptables alone won't do what you want.

http://kindlund.wordpress.com/2007/1...utes-in-linux/

Last edited by smallpond; 08-06-2014 at 11:41 AM. Reason: Add link
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables: All routing on any interface seems to stop when a rule for wlan0 is added iwonbigbro Linux - Security 4 10-11-2012 10:23 AM
[SOLVED] [FIREWALL] confused about setting up a specific rule using iptables cryptoboss Linux - Security 4 04-14-2011 10:22 AM
Need iptables rule to force outgoing interface redss Linux - Networking 12 03-03-2010 02:34 AM
simple DNAT iptables rule doesn't work. firatkucuk Linux - Networking 2 10-22-2007 02:35 AM
how to define a specific range of IPs and/or multiple IPs in an iptables rule?... TheHellsMaster Linux - Security 9 09-20-2004 11:06 AM


All times are GMT -5. The time now is 12:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration