Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 03-22-2012, 08:38 AM   #1
LQ Newbie
Registered: Mar 2012
Posts: 1

Rep: Reputation: Disabled
Centos 6 (64) IPTABLES 3 network cards, odd issue, new to linuxish

Hello Linux People

I am new,

I have a VPS, it has 3 IP addresses assigned to it. eth0 / eth0:0 / eth0:1

I am trying to create firewall rules to stop any communication with 0:0 and 0:1 while only allowing 2 IP address for ssh access and other stuff attached to eth0. This will change but I want to configure access on each IP/nic separately and test as I open up each port to check it is working correctly.

My IPtables conf is below (2 now, top is current bottom is older), what I believe should be happening. INPUT by default is drop unless rules are matched. 3 Chains one for each card, Drop EVERYTHING on 0:0 and 0:1 and allow SSH and 8080 from 2 IPs via eth0. (the below config was a test, the original is right at the bottom without the chain bit, it had the same problem)

My Issue, I am sure the IP tables are working; I can change the way it responds to ping and notice it. However when port scanning eth0:0 and eth:0:1 I am still seeing the port 8080 open if I am running the application. With the rules below I would expect nothing back from eth0:0 and eth0:1 after a port scan since they are meant to drop everything

Now that I am really thinking about it maybe I should not do it on interface but IP?

Also what does the [0:0] bits mean on the filters?

There is a good chance I am just missing something simple, to anyone that helps thank you, if I make any progress I will update

:nic-eth0-70 - [0:0]
:nic-eth00-66 - [0:0]
:nic-eth01-67 - [0:0]
-A INPUT -i eth0 -j nic-eth0-70
-A INPUT -i eth0:0 -j nic-eth00-66
-A INPUT -i eth0:1 -j nic-eth01-67
-A nic-eth0-70 -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 8080 -j ACCEPT
-A nic-eth0-70 -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 8080 -j ACCEPT
-A nic-eth0-70 -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A nic-eth0-70 -s xx.x.x.xx/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A nic-eth00-66 -j DROP
-A nic-eth01-67 -j DROP

-------------- Original

-A INPUT -i lo -j ACCEPT
-A INPUT -s xx.x.x.xx/32 -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -s xx.x.x.xx/32 -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -s xx.x.x.xx/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s xx.x.x.xx/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -j DROP
Old 03-22-2012, 05:48 PM   #2
Ser Olmy
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 2,507

Rep: Reputation: Disabled
Aliases aren't really interfaces, so -i eth0 and -i eth0:0 will actually match the same traffic. In this case, it means that all packets are directed to the eth0-70 chain, which allows incoming traffic to ports 22 and 8080.

You'll have to match on destination IP addresses (-d <ip>/32) in order to differentiate between incoming traffic to the various eth0 aliases.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
HP Network Printer Issue on CentOS 5.3 x86_64 GenePoole59 Linux - Software 1 07-01-2011 10:50 AM
Network issue KVM host centos michaelux Linux - Virtualization and Cloud 3 06-05-2010 11:51 PM
CentOS 5.4: System migration issue with network card mrholepunch Linux - Newbie 9 02-23-2010 10:08 PM
Odd Network Issue RobertNikic Linux - Networking 5 06-25-2008 12:36 PM
An Odd network issue hacker supreme Linux - Networking 6 06-05-2007 09:43 AM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 10:50 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration