Re: iptables and virtual net interfaces?

From: Cédric Blancher (blancher@cartel-info.fr)
Date: 01/16/02


From: Cédric Blancher <blancher@cartel-info.fr>
To: Steve Wampler <sbw@tapestry.tucson.az.us>
Date: 16 Jan 2002 17:33:15 +0100

le mar 15-01-2002 à 13:48, Steve Wampler a écrit :
> Does anyone know if iptables understands virtual net interfaces?
> That is, can I use eth0:2 (say) in iptables rules?

As does ipchains, iptables does not know interface aliases.

An interface alias is not an interface, it is virtual. It is an IP for
which Linux IP stack will answer ARP requests on given interface. As an
example, specifying an IP for eth0:2 means Linux will answer ARP who-has
received on eth0 for this IP.

When a paquet comes to Linux box (or goes away), it comes through an
interface (eth0, eth1, ppp0, ipsec0, tap0, etc...). For an alias is not
an real interface, just a kind of virtual one, you can't use it as you
do for real interface, e.g. with -i and -o flags.

If you want to deal with aliases in Netfilter, you'll have to filter
using both interface and alias IP :

        iptables -A INPUT -i eth0 -d <eth0:2 IP> ... -j ACCEPT

I do not see much more things to do.

-- 
Cédric Blancher
Consultant sécurité systèmes et réseaux
Cartel Informatique - Groupe CGBI - http://www.cartel-info.fr/
Tél : 01 44 06 97 87 - Fax 01 44 06 97 99