SLUG Mailing List Archives - Re: [SLUG] Multiple interfaces in iptables rules

To: Peter Hardy <peter@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [SLUG] Multiple interfaces in iptables rules
From: David Kempe <dave@xxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 02 Nov 2006 23:47:05 +1100
Cc: slug@xxxxxxxxxxx
User-agent: Thunderbird 1.5.0.7 (Windows/20060909)

Damn Pete,
just use shorewall :)

dave

Peter Hardy wrote:

Peter Hardy wrote:
But I'd like a rule to apply to my eth0 and eth1 interfaces whileignoring all other ethernet interfaces. Rusty's Packet FilteringHOWTO doesn't specify any syntax for it. It's not possible to givemultiple -i or -o flags, and splitting it in to seperate rules foreach interface is awkward at best.
I've tried comma separated interfaces by running `iptables -A INPUT-i eth0,eth1 -j LOG`, but it doesn't log any traffic to eth0, so I'mguessing iptables is looking for an interface named "eth0,eth1". And,of course, space separating the interface names just gives a badargument error.
So, is it possible to have iptables match two or more interfaces in asingle rule?
For the benefit of the archives, I solved this by marking packetsbased on the interface criteria, and then matching on marks.
As an example, my multi-homed gateway previously had a number of ruleslike these to filter traffic routed between the local networks.$IPT -A FORWARD -m state --state NEW -m tcp -p tcp -i $OFFICE_IFACE-o ! $INET_IFACE -j tcp_local$IPT -A FORWARD -m state --state NEW -m tcp -p tcp -i ! $INET_IFACE-o $OFFICE_IFACE -j tcp_local
My question came up because I'm about to attach another Internet linkto it, and wanted it excluded from the above rules just like$INET_IFACE is above.
The solution I'm trialling is to mark all incoming packets like so:
 # Packets arriving from external links are marked 1
 $IPT -t mangle -A PREROUTING -i $INET_IFACE1 -j MARK --set-mark 1
 $IPT -t mangle -A PREROUTING -i $INET_IFACE2 -j MARK --set-mark 1

 # Packets departing on an external link are marked 2
 $IPT -t mangle -A PREROUTING -o $INET_IFACE1 -j MARK --set-mark 2
 $IPT -t mangle -A PREROUTING -o $INET_IFACE2 -j MARK --set-mark 2

Then my jump rules become:
$IPT -A FORWARD -m state --state NEW -m tcp -p tcp -m mark ! --mark 2-i $OFFICE_IFACE -j tcp_local$IPT -A FORWARD -m state --state NEW -m tcp -p tcp -m mark ! --mark 1-o $OFFICE_IFACE -j tcp_local

References:
- [SLUG] Multiple interfaces in iptables rules
  - From: Peter Hardy
- Re: [SLUG] Multiple interfaces in iptables rules
  - From: Peter Hardy

Messages sorted by: [ date | thread ]
Prev by Date: [SLUG] ineligibility
Next by Date: [SLUG] dualling with dell
Previous by thread: Re: [SLUG] Multiple interfaces in iptables rules
Next by thread: Re: [SLUG] Multiple interfaces in iptables rules