Iptables, Multiple IP Aliases and Different Rules for each external ip

genmud · 09-16-2005, 09:11 PM

Well this is the situation... I am wondering if I can use Iptables to have different rules for different IP Aliases, IE eth0:0, 1, 2, 3, 4 etc...

The ip's change often on these virtual interfaces, so I would rather not use destination addresses.

Just wondering if anyone has ever done this.

fotoguy · 09-17-2005, 07:21 AM

Iptables is very versatile, powerful and can have rules made for any interface, the interfaces are actually eth0, eth1,eth2 and ppp0. you can declare variables, use IF statements, arrays, any syntax that you can use under C and c++ for iptables.

An simple example of an iptables script to block anything except port 80 for you webserver would look like something like this:

####################################
#!/bin/sh

iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP

iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT

exit 0
####################################

example 2:

####################################
#!/bin/sh

iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP

EXTIF="eth0"

iptables -A INPUT -i $EXTIF -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o $EXTIF -p tcp --dport 80 -j ACCEPT

exit 0
####################################

Of course this is a very simple script with no logging or any modules added but will stop anything but port 80 from being accessed.

genmud · 09-17-2005, 03:15 PM

Thanks for the reply, but the situation is that I only have 1 physical connection, and I have 7 IP's mapped to this interface as aliases. What I want to do is put each logical service on a different IP, which sometime changes so that I will have flexibility when I need to use different servers I can just add a server, and remove the alias and there will be very little downtime and I won't have to mess with DNS as much.

So what I am trying to do is block everything but that service on each IP, so I will need multiple rules for the different IP's.

win32sux · 09-17-2005, 05:09 PM

i'm not sure, but i think iptables doesn't "understand" the concept of aliases... if this is true, then i think the way to do it would be to simply specify the public IP address of the alias as a destination, and then do the DNAT to the private IPs... like, for example (i think):

Code:

iptables -t nat -A PREROUTING -d 200.200.205.200 -i eth0 \
-j DNAT --to-destination 192.168.0.10

iptables -t nat -A PREROUTING -d 200.200.205.201 -i eth0 \
-j DNAT --to-destination 192.168.0.11

iptables -t nat -A PREROUTING -d 200.200.205.202 -i eth0 \
-j DNAT --to-destination 192.168.0.12

then deal with the FORWARD chain, specifying which port, protocol, etc. you want to allow through to the boxes:

Code:

iptables -P FORWARD DROP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP

iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 80 \
-d 192.168.0.10 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 443 \
-d 192.168.0.10 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 110 \
-d 192.168.0.11 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 25 \
-d 192.168.0.11 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p UDP -i eth0 -o eth1 --dport 53 \
-d 192.168.0.12 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 3128 \
-d 192.168.0.12 -m state --state NEW -j ACCEPT

and don't forget to SNAT the packets on the way out:

Code:

iptables -t nat -A POSTROUTING -s 192.168.0.10 \
-j SNAT -o eth0 --to-source 200.200.205.200

iptables -t nat -A POSTROUTING -s 192.168.0.11 \
-j SNAT -o eth0 --to-source 200.200.205.201

iptables -t nat -A POSTROUTING -s 192.168.0.12 \
-j SNAT -o eth0 --to-source 200.200.205.202

as you can see, in my examples 192.168.0.10 is a web server, 192.168.0.11 is a mail server, and 192.168.0.12 seems to be a dns/squid combo... each of the boxes has it's own 200.200.205.20* public ip address on the outside of the firewall...

i haven't tested what i wrote above so use caution...

just my

...

good luck...

win32sux · 09-17-2005, 05:17 PM

i just re-read your last post and it sounds like you are talking about a single host, with no forwarding... if that's the case then my post above should be ignored...

genmud · 09-17-2005, 05:43 PM

Yea, what I am doing is a HTTP/DNS/MAIL/SSH server with each different service on a different dedicated IP, so when I need to expand I can just add another server and make it the IP and I won't have to reconfigure the mx info on dns or reconfigure everything to a new IP... I am doing no forwarding of anykind and in reality, the only packets outgoing on this server will be SMTP and SSH

win32sux · 09-17-2005, 06:38 PM

well, i've never really done anything like this, but maybe one way to do it could be to make all the daemons listen on the real ip address and then dnat everything to the real ip address... let's say that *.200 is the real ip and *.201-203 are aliases and we are dealing with HTTPS/HTTP/FTP:

Code:

iptables -t nat -A PREROUTING -p TCP -i eth0 -d 200.200.205.201:443 \
-j DNAT --to-destination 200.200.205.200

iptables -t nat -A PREROUTING -p TCP -i eth0 -d 200.200.205.202:80 \
-j DNAT --to-destination 200.200.205.200

iptables -t nat -A PREROUTING -p TCP -i eth0 -d 200.200.205.203:21 \
-j DNAT --to-destination 200.200.205.200

iptables -P INPUT DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p TCP ! --syn -m state --state NEW -j ACCEPT

iptables -A INPUT -p TCP -i eth0 --dport 443 -m state --state NEW -j ACCEPT

iptables -A INPUT -p TCP -i eth0 --dport 80 -m state --state NEW -j ACCEPT

iptables -A INPUT -p TCP -i eth0 --dport 21 -m state --state NEW -j ACCEPT

it probably won't work, i don't know... i'd like to learn how to do this right... let's wait and see if someone chimes-in and enlightens us...

genmud · 09-18-2005, 02:07 AM

Will try some other stuff... Thanks for the response