That's only half the truth. You can not use a notation like "eth0:0...255" with ipchains (option -i) I think, but you don't have to. Say if you had hooked 192.168.1.2 on eth0:0 you could use the following rules for smtp:
ipchains -A input -i eth0 -p tcp -s any/0 1024:65535 -d 192.168.1.2 25 -j ACCEPT ipchains -A output -i eth0 -p tcp ! -y -s 192.168.1.2 25 -d any/0 1024:65535 -j ACCEPT ipchains -A output -i eth0 -p tcp -s 192.168.1.2 1024:65535 -d any/0 25 -j ACCEPT ipchains -A input -i eth0 -p tcp ! -y -s any/0 25 -d 192.168.1.2 1024:65535 -j ACCEPT
The trick is that you tell ipchains the physical network interface (eth0) but another IP which is assigned to it by IP aliasing. This neatly works with manually configured ipchains packet filters in some of my firewall installations.
In this example the different addresses of the interface eth0 are assigned to different chains (input, output); is it also possible to use different ip-addresses for one interface in the same chain? mfg ar -- mailto:andreas@rittershofer.de http://www.rittershofer.de PGP-Public-Key http://www.rittershofer.de/ari.htm