LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-16-2005, 09:11 PM   #1
genmud
LQ Newbie
 
Registered: Sep 2005
Posts: 4

Rep: Reputation: 0
Iptables, Multiple IP Aliases and Different Rules for each external ip


Well this is the situation... I am wondering if I can use Iptables to have different rules for different IP Aliases, IE eth0:0, 1, 2, 3, 4 etc...

The ip's change often on these virtual interfaces, so I would rather not use destination addresses.

Just wondering if anyone has ever done this.

Last edited by genmud; 08-27-2006 at 06:23 PM.
 
Old 09-17-2005, 07:21 AM   #2
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291

Rep: Reputation: 62
Iptables is very versatile, powerful and can have rules made for any interface, the interfaces are actually eth0, eth1,eth2 and ppp0. you can declare variables, use IF statements, arrays, any syntax that you can use under C and c++ for iptables.

An simple example of an iptables script to block anything except port 80 for you webserver would look like something like this:

####################################
#!/bin/sh

iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP

iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT

exit 0
####################################

example 2:

####################################
#!/bin/sh

iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP

EXTIF="eth0"

iptables -A INPUT -i $EXTIF -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o $EXTIF -p tcp --dport 80 -j ACCEPT

exit 0
####################################

Of course this is a very simple script with no logging or any modules added but will stop anything but port 80 from being accessed.
 
Old 09-17-2005, 03:15 PM   #3
genmud
LQ Newbie
 
Registered: Sep 2005
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks for the reply, but the situation is that I only have 1 physical connection, and I have 7 IP's mapped to this interface as aliases. What I want to do is put each logical service on a different IP, which sometime changes so that I will have flexibility when I need to use different servers I can just add a server, and remove the alias and there will be very little downtime and I won't have to mess with DNS as much.

So what I am trying to do is block everything but that service on each IP, so I will need multiple rules for the different IP's.

Last edited by genmud; 08-27-2006 at 06:24 PM.
 
Old 09-17-2005, 05:09 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
i'm not sure, but i think iptables doesn't "understand" the concept of aliases... if this is true, then i think the way to do it would be to simply specify the public IP address of the alias as a destination, and then do the DNAT to the private IPs... like, for example (i think):
Code:
iptables -t nat -A PREROUTING -d 200.200.205.200 -i eth0 \
-j DNAT --to-destination 192.168.0.10

iptables -t nat -A PREROUTING -d 200.200.205.201 -i eth0 \
-j DNAT --to-destination 192.168.0.11

iptables -t nat -A PREROUTING -d 200.200.205.202 -i eth0 \
-j DNAT --to-destination 192.168.0.12
then deal with the FORWARD chain, specifying which port, protocol, etc. you want to allow through to the boxes:
Code:
iptables -P FORWARD DROP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP

iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 80 \
-d 192.168.0.10 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 443 \
-d 192.168.0.10 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 110 \
-d 192.168.0.11 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 25 \
-d 192.168.0.11 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p UDP -i eth0 -o eth1 --dport 53 \
-d 192.168.0.12 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 3128 \
-d 192.168.0.12 -m state --state NEW -j ACCEPT
and don't forget to SNAT the packets on the way out:
Code:
iptables -t nat -A POSTROUTING -s 192.168.0.10 \
-j SNAT -o eth0 --to-source 200.200.205.200

iptables -t nat -A POSTROUTING -s 192.168.0.11 \
-j SNAT -o eth0 --to-source 200.200.205.201

iptables -t nat -A POSTROUTING -s 192.168.0.12 \
-j SNAT -o eth0 --to-source 200.200.205.202
as you can see, in my examples 192.168.0.10 is a web server, 192.168.0.11 is a mail server, and 192.168.0.12 seems to be a dns/squid combo... each of the boxes has it's own 200.200.205.20* public ip address on the outside of the firewall...

i haven't tested what i wrote above so use caution...

just my ...

good luck...


Last edited by win32sux; 09-17-2005 at 05:18 PM.
 
Old 09-17-2005, 05:17 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
i just re-read your last post and it sounds like you are talking about a single host, with no forwarding... if that's the case then my post above should be ignored...
 
Old 09-17-2005, 05:43 PM   #6
genmud
LQ Newbie
 
Registered: Sep 2005
Posts: 4

Original Poster
Rep: Reputation: 0
Yea, what I am doing is a HTTP/DNS/MAIL/SSH server with each different service on a different dedicated IP, so when I need to expand I can just add another server and make it the IP and I won't have to reconfigure the mx info on dns or reconfigure everything to a new IP... I am doing no forwarding of anykind and in reality, the only packets outgoing on this server will be SMTP and SSH
 
Old 09-17-2005, 06:38 PM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
well, i've never really done anything like this, but maybe one way to do it could be to make all the daemons listen on the real ip address and then dnat everything to the real ip address... let's say that *.200 is the real ip and *.201-203 are aliases and we are dealing with HTTPS/HTTP/FTP:

Code:
iptables -t nat -A PREROUTING -p TCP -i eth0 -d 200.200.205.201:443 \
-j DNAT --to-destination 200.200.205.200

iptables -t nat -A PREROUTING -p TCP -i eth0 -d 200.200.205.202:80 \
-j DNAT --to-destination 200.200.205.200

iptables -t nat -A PREROUTING -p TCP -i eth0 -d 200.200.205.203:21 \
-j DNAT --to-destination 200.200.205.200

iptables -P INPUT DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p TCP ! --syn -m state --state NEW -j ACCEPT

iptables -A INPUT -p TCP -i eth0 --dport 443 -m state --state NEW -j ACCEPT

iptables -A INPUT -p TCP -i eth0 --dport 80 -m state --state NEW -j ACCEPT

iptables -A INPUT -p TCP -i eth0 --dport 21 -m state --state NEW -j ACCEPT
it probably won't work, i don't know... i'd like to learn how to do this right... let's wait and see if someone chimes-in and enlightens us...
 
Old 09-18-2005, 02:07 AM   #8
genmud
LQ Newbie
 
Registered: Sep 2005
Posts: 4

Original Poster
Rep: Reputation: 0
Will try some other stuff... Thanks for the response

Last edited by genmud; 08-27-2006 at 06:25 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Multiple External IPs with iptables tvynr Linux - Networking 11 11-08-2005 02:31 PM
Question about iptables and multiple external IPs tvynr Linux - Networking 2 10-12-2005 07:48 PM
assigning multiple device aliases to single drive cerealdaemon Linux - General 5 07-25-2005 11:55 PM
iptables and ip aliases SpaceCowboy Linux - Networking 9 09-14-2004 11:03 AM
Mail Aliases problems for multiple domains nemesisza Linux - Software 1 01-28-2004 08:37 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration