On 20-Jun-01 Andreas Rittershofer wrote:
That's only half the truth. You can not use a notation like "eth0:0...255" with ipchains (option -i) I think, but you don't have to. Say if you had hooked 192.168.1.2 on eth0:0 you could use the following rules for smtp:
ipchains -A input -i eth0 -p tcp -s any/0 1024:65535 -d 192.168.1.2 25 -j ACCEPT ipchains -A output -i eth0 -p tcp ! -y -s 192.168.1.2 25 -d any/0 1024:65535 -j ACCEPT ipchains -A output -i eth0 -p tcp -s 192.168.1.2 1024:65535 -d any/0 25 -j ACCEPT ipchains -A input -i eth0 -p tcp ! -y -s any/0 25 -d 192.168.1.2 1024:65535 -j ACCEPT
The trick is that you tell ipchains the physical network interface (eth0) but another IP which is assigned to it by IP aliasing. This neatly works with manually configured ipchains packet filters in some of my firewall installations.
In this example the different addresses of the interface eth0 are assigned to different chains (input, output); is it also possible to use different ip-addresses for one interface in the same chain?
Yes, it's possible. Look at my smtp example: There are four lines, two inputs and two outputs for one IP. If you want to use this for another IP, simply copy'n'paste them and replace the IP address with the next one and keep the option "-i eth0". Do so for every virtual IP you have and service you want to offer. However, this gives you lots of work if something changes. A more elegant way would be to create a chain for every (virtual) IP you have and use ipchains-save/ipchains-restore to partly enable or disable firewalling. This is particularly usefull if you have a standard packet filter config for every customer/domain which could be reproduced easily for a new entry.
mfg ar
-- mailto:andreas@rittershofer.de http://www.rittershofer.de PGP-Public-Key http://www.rittershofer.de/ari.htm
---
Boris Lorenz