Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 07-05-2004, 03:04 AM   #1
LQ Newbie
Registered: Mar 2004
Posts: 7

Rep: Reputation: 0
iptables and virtual interfaces

What i wanted to do was to have 2 web servers having private IPs( Ex: and on the subnet). The hub connecting these machines would be connected to my Linux firewall machine. In other words the private IPs are the ones that make my DMZ, I shall call this interface which is connected to the DMZ as eth1.
What i want to do is redirect all requests to to and to at the moment i have no problem in doing the natting and everything related to send/receive from the
What i thought was to have a virtual interface and bind the other internet routable address to it, ex eth0:0. What are my options?
Also how could i do the POSTROUTING SNAT if I cannot use virtual in terfaces?
Old 07-06-2004, 09:04 PM   #2
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
iptables doesn't support virtual ip aliasing. So you really have two ways to do this. First you can buy new NICs for the additional IPs.

Alternatively, you can setup virtual IPs like you've explained. Despite the fact that iptables doesn't support IP aliases, it will recognize traffic on the virtual interface as being on the same device as the normal interface device (so eth0:0 and eth0:1 would both appear as eth0 to iptables). The trick then, is to use other attributes of the packets to distinguish how the SNATing should work.

For example say you want all web traffic being NATed from one of the internal boxes to be SNATed as one IP and all traffic coming from the other internal webserver to get SNATed as the other external IP. In this case you could use the type of traffic (http) and the source address ( or and the interface the traffic would be leaving(eth0) to define the SNATing:

iptables -t nat -A POSTROUTING -p tcp --sport 80 -o eth0 -s -j SNAT --to-source

iptables -t nat -A POSTROUTING -p tcp --sport 80 -o eth0 -s -j SNAT --to-source

You might have to tinker around with the other rules as well, but hopefully that will give you a start.
Old 03-19-2006, 04:24 PM   #3
Registered: Sep 2005
Distribution: Debian
Posts: 202

Rep: Reputation: 30
You find that I can decide the problem using iproute (IP addr)?


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Virtual Interfaces on Linux kidskc Linux - Networking 0 05-12-2005 04:36 PM
Virtual Interfaces geony Linux - Networking 6 02-13-2005 12:25 PM
Virtual Interfaces linuxboy69 Linux - Networking 1 12-31-2003 04:08 PM
Virtual Interfaces da_tibmeister Linux - Networking 2 10-15-2003 10:32 AM
Virtual Network Interfaces pickledbeans Linux - Networking 1 07-11-2002 10:08 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:26 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration