[KLUG Members] device aliasing and iptables

[Dirk Bartley]

Iptables scripts can be written to filter by interface or by address
(both source and destination).

for instance:

/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p tcp -j TCPLIMITS
/sbin/iptables -A INPUT -m state --state INVALID -j INVALIDWEHATE
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i eth2 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -j ACCEPT -m state --state NEW
/sbin/iptables -A INPUT -p tcp -m limit --limit 2/s -j LOG --log-level 1
--log-prefix TCP_Dropped 
/sbin/iptables -A INPUT -p udp -m limit --limit 2/s -j LOG --log-level 1
--log-prefix UDP_Dropped 
/sbin/iptables -A INPUT -p icmp -m limit --limit 2/s -j LOG --log-level
1 --log-prefix ICMP_Dropped 
/sbin/iptables -A INPUT -f -m limit --limit 2/s -j LOG --log-level 1
--log-prefix FRAGMENT_Dropped 
/sbin/iptables -A INPUT -i eth1 -m state --state NEW -j LOG --log-level
1 --log-prefix DropNEWinet 
/sbin/iptables -A INPUT -i eth1 -m state --state NEW -j DROP


This sets up my input chain.  I do not alias, (out of a lack of need in
my case) my interface.  It would be perfectly acceptable to change all
references to an interface to a destination ip address.  For example I
could change

/sbin/iptables -A INPUT -i eth0 -j ACCEPT -m state --state NEW

to 

/sbin/iptables -A INPUT -d x.x.x.x -j ACCEPT -m state --state NEW

The disadvantage of this is that you have to be very careful to set up
EACH rule for EVERY alias.  This would be alot of lines.  Get good at
bash (or some other) scripting quickly would be my recomendation.


Dirk

On Wed, 2002-03-13 at 20:30, Ethan Garrow wrote:
> I have a firewall I'm building for my work, and I have to set it up for
> 7 external static ip's, so I've aliased them in the device.but when I
> try to write the firewall script using iptables, it tells me I can't use
> colons (e.g. eth0:1)  Was wondering if anyone out there can help me with
> this little dilemma??
>