Re: [SLUG] Multiple interfaces in iptables rules

Wed, 01 Nov 2006 19:41:09 -0800 

Peter Hardy wrote:
But I'd like a rule to apply to my eth0 and eth1 interfaces while ignoring all other ethernet interfaces. Rusty's Packet Filtering HOWTO doesn't specify any syntax for it. It's not possible to give multiple -i or -o flags, and splitting it in to seperate rules for each interface is awkward at best. 


I've tried comma separated interfaces by running `iptables -A INPUT -i 
eth0,eth1 -j LOG`, but it doesn't log any traffic to eth0, so I'm 
guessing iptables is looking for an interface named "eth0,eth1". And, of 
course, space separating the interface names just gives a bad argument 
error.



So, is it possible to have iptables match two or more interfaces in a 
single rule?



For the benefit of the archives, I solved this by marking packets based 
on the interface criteria, and then matching on marks.



As an example, my multi-homed gateway previously had a number of rules 
like these to filter traffic routed between the local networks.
 $IPT -A FORWARD -m state --state NEW -m tcp -p tcp -i $OFFICE_IFACE -o 
! $INET_IFACE -j tcp_local
 $IPT -A FORWARD -m state --state NEW -m tcp -p tcp -i ! $INET_IFACE -o 
$OFFICE_IFACE -j tcp_local



My question came up because I'm about to attach another Internet link to 
it, and wanted it excluded from the above rules just like $INET_IFACE is 
above.


The solution I'm trialling is to mark all incoming packets like so:
 # Packets arriving from external links are marked 1
 $IPT -t mangle -A PREROUTING -i $INET_IFACE1 -j MARK --set-mark 1
 $IPT -t mangle -A PREROUTING -i $INET_IFACE2 -j MARK --set-mark 1

 # Packets departing on an external link are marked 2
 $IPT -t mangle -A PREROUTING -o $INET_IFACE1 -j MARK --set-mark 2
 $IPT -t mangle -A PREROUTING -o $INET_IFACE2 -j MARK --set-mark 2

Then my jump rules become:

 $IPT -A FORWARD -m state --state NEW -m tcp -p tcp -m mark ! --mark 2 
-i $OFFICE_IFACE -j tcp_local
 $IPT -A FORWARD -m state --state NEW -m tcp -p tcp -m mark ! --mark 1 
-o $OFFICE_IFACE -j tcp_local


--
Pete
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html






















					Reply via email to