Iptables, Multiple IP Aliases and Different Rules for each external ip
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Iptables is very versatile, powerful and can have rules made for any interface, the interfaces are actually eth0, eth1,eth2 and ppp0. you can declare variables, use IF statements, arrays, any syntax that you can use under C and c++ for iptables.
An simple example of an iptables script to block anything except port 80 for you webserver would look like something like this:
####################################
#!/bin/sh
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
Thanks for the reply, but the situation is that I only have 1 physical connection, and I have 7 IP's mapped to this interface as aliases. What I want to do is put each logical service on a different IP, which sometime changes so that I will have flexibility when I need to use different servers I can just add a server, and remove the alias and there will be very little downtime and I won't have to mess with DNS as much.
So what I am trying to do is block everything but that service on each IP, so I will need multiple rules for the different IP's.
i'm not sure, but i think iptables doesn't "understand" the concept of aliases... if this is true, then i think the way to do it would be to simply specify the public IP address of the alias as a destination, and then do the DNAT to the private IPs... like, for example (i think):
as you can see, in my examples 192.168.0.10 is a web server, 192.168.0.11 is a mail server, and 192.168.0.12 seems to be a dns/squid combo... each of the boxes has it's own 200.200.205.20* public ip address on the outside of the firewall...
i haven't tested what i wrote above so use caution...
i just re-read your last post and it sounds like you are talking about a single host, with no forwarding... if that's the case then my post above should be ignored...
Yea, what I am doing is a HTTP/DNS/MAIL/SSH server with each different service on a different dedicated IP, so when I need to expand I can just add another server and make it the IP and I won't have to reconfigure the mx info on dns or reconfigure everything to a new IP... I am doing no forwarding of anykind and in reality, the only packets outgoing on this server will be SMTP and SSH
well, i've never really done anything like this, but maybe one way to do it could be to make all the daemons listen on the real ip address and then dnat everything to the real ip address... let's say that *.200 is the real ip and *.201-203 are aliases and we are dealing with HTTPS/HTTP/FTP:
Code:
iptables -t nat -A PREROUTING -p TCP -i eth0 -d 200.200.205.201:443 \
-j DNAT --to-destination 200.200.205.200
iptables -t nat -A PREROUTING -p TCP -i eth0 -d 200.200.205.202:80 \
-j DNAT --to-destination 200.200.205.200
iptables -t nat -A PREROUTING -p TCP -i eth0 -d 200.200.205.203:21 \
-j DNAT --to-destination 200.200.205.200
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP ! --syn -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP -i eth0 --dport 443 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP -i eth0 --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP -i eth0 --dport 21 -m state --state NEW -j ACCEPT
it probably won't work, i don't know... i'd like to learn how to do this right... let's wait and see if someone chimes-in and enlightens us...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.