Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Do iptables support alias interfaces?

1,813 views
Skip to first unread message

Stratos Karafotis

unread,
May 28, 2001, 7:16:58 AM5/28/01
to
Hi,

I 'm trying to install a firewall.
I have these interfaces:
eth0 my true ip
eth0:0 192.168.2.1

When I'm trying this
iptables -t filter -A INPUT -i eth0:0 -s 192.168.2.0/24 -j ACCEPT

I receive this error:
Warning: wierd character in interface `eth0:0' (No aliases, :, ! or *).

Where is the problem?
Any solutions?

Thanks in advance

--
Stratos Karafotis

Electrical & Computer Enginneer

Chris Friesen

unread,
May 28, 2001, 9:57:02 AM5/28/01
to
Stratos Karafotis wrote:
>
> Hi,
>
> I 'm trying to install a firewall.
> I have these interfaces:
> eth0 my true ip
> eth0:0 192.168.2.1
>
> When I'm trying this
> iptables -t filter -A INPUT -i eth0:0 -s 192.168.2.0/24 -j ACCEPT
>
> I receive this error:
> Warning: wierd character in interface `eth0:0' (No aliases, :, ! or *).
>
> Where is the problem?
> Any solutions?

Try just using "eth0". If that doesn't work, then you can try using the
"iproute2" tools rather than ifconfig to set up your addresses. Since it
doesn't use aliases (just use "eth0" for the private IP device) then you won't
need to use the alias in iptables.


--
Chris Friesen | MailStop: 043/33/F10
Nortel Networks | work: (613) 765-0557
3500 Carling Avenue | fax: (613) 765-2986
Nepean, ON K2H 8E9 Canada | email: cfri...@nortelnetworks.com

Stratos Karafotis

unread,
May 28, 2001, 11:09:40 AM5/28/01
to
In article <3B12592E...@nortelnetworks.com>, Chris Friesen says...

Hi, Chris
and thanks for your answer.

> Try just using "eth0". If that doesn't work, then you can try using the
> "iproute2" tools rather than ifconfig to set up your addresses. Since it
> doesn't use aliases (just use "eth0" for the private IP device) then you won't
> need to use the alias in iptables.

But I need to distinquish firewall for private IP and true IP.
For example I need to allow incoming packets for httpd from private zone
(192.168.2.0/24) and drop incoming packets from internet (true IP).
So I want to know if this can be done with iptables and 1 network card
with IP alias or I have to setup two network cards.

Chris Friesen

unread,
May 28, 2001, 11:09:27 PM5/28/01
to
Stratos Karafotis wrote:

> But I need to distinquish firewall for private IP and true IP.
> For example I need to allow incoming packets for httpd from private zone
> (192.168.2.0/24) and drop incoming packets from internet (true IP).
> So I want to know if this can be done with iptables and 1 network card
> with IP alias or I have to setup two network cards.

Shouldn't matter if you've only got one NIC, as you are specifying the IP
address. Since the addresses are different, you should have no problems.

Chris

Dánial Olsen

unread,
May 31, 2001, 8:35:56 PM5/31/01
to
Hi,

I have exactly the same problem and I use ipchains.

Isn't it possible to somehow specify the alias '-i eth0:0' in an ipchains
line?

And what does the error message mean?


"Warning: wierd character in interface `eth0:0' (No aliases, :, ! or *)"


Danial


"Chris Friesen" <cfri...@nortelnetworks.com> wrote:
news:3B12592E...@nortelnetworks.com...

Karl Auer

unread,
Jun 1, 2001, 3:46:53 PM6/1/01
to
"Dánial Olsen" wrote:
> Isn't it possible to somehow specify the alias '-i eth0:0' in an ipchains
> line?

I am running ipchains 1.3.9 under SuSE 6.3. I don't actually have any
aliases, but ipchains doesn't complain about this:

ipchains -A input -i eth0:1 -j ACCEPT

... which seems to suggest that either there is something else wrong
with your syntax (sorry, didn't see the original message) or that your
version of ipchains/iptables differs from mine.

Try using "eth0+", which is a wildcard for anything starting with
"eth0". If you need to treat eth0 differently from eth0:0, you could set
up a chain for eth0 and a chain for eth0 - you would have to test
packets for eth0 before the rest of course:

ipchains -N eth0
ipchains -N eth0aliases
ipchains -A input -i eth0 -j eth0
ipchains -A input -i eth0+ -j eth0aliases

This doesn't solve the problem if you ned to distinguish between
multiple aliases.

It seems to me that since each alias presumably has a different IP
address, you could distinguish on IP address, no?

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (ka...@biplane.com.au) +41-1-8881812 (h)
http://www.biplane.com.au/~kauer/ +41-1-6327531 (w)

Thomas Schulz

unread,
Jun 4, 2001, 2:30:57 PM6/4/01
to
In article <MPG.157c601a8...@news.grnet.gr>,

Are you sure that that is an error? It might be just a warning. If so,
your rule might work as is. Why not try it and see if it works.
--
Tom Schulz
sch...@adi.com

Ian Jones

unread,
Jun 4, 2001, 7:49:15 PM6/4/01
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"Thomas Schulz" <sch...@adi.com> wrote


> >I 'm trying to install a firewall.
> >I have these interfaces:
> >eth0 my true ip
> >eth0:0 192.168.2.1
> >
> >When I'm trying this
> >iptables -t filter -A INPUT -i eth0:0 -s 192.168.2.0/24 -j ACCEPT
> >
> >I receive this error:
> >Warning: wierd character in interface `eth0:0' (No aliases, :, ! or *).
>

> Are you sure that that is an error? It might be just a warning. If so,
> your rule might work as is. Why not try it and see if it works.

An alias is meaningless on a physical wire (ifconfig will show the same
hardware address for both eth0 and eth0:0). The interface is still eth0 as
far as the -i and -o flags are concerned. If you bring up the alias
interface you can still filter based on IP address.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Making the world safe for geeks.

iQA/AwUBOxweecAVSpfzXItKEQJVOQCfaVWPcrH1EzSq5nFi12Kp+51qw04AoJNN
HubO2//9o9N2Fv866kGNkITo
=oST6
-----END PGP SIGNATURE-----

Stratos Karafotis

unread,
Jun 5, 2001, 3:14:09 AM6/5/01
to
In article <1q6hf9.3b1.ln@barfly>, Ian Jones says...

> An alias is meaningless on a physical wire (ifconfig will show the same
> hardware address for both eth0 and eth0:0). The interface is still eth0 as
> far as the -i and -o flags are concerned. If you bring up the alias
> interface you can still filter based on IP address.

Thanks for your answers guys

Problem solved with 2 NICs.

Karl Auer

unread,
Jun 22, 2001, 6:58:30 PM6/22/01
to
Ian Jones wrote:

> An alias is meaningless on a physical wire (ifconfig will show the
> same hardware address for both eth0 and eth0:0). The interface is
> still eth0 as far as the -i and -o flags are concerned.

Are you sure about that? Aliases certainly get shown with different
addresses on my Linux system. Here are the first two, with everything
but the "inet addr" lines cut out (the lines wrap though):

eth0 Link encap:Ethernet HWaddr 00:D0:B7:25:B1:55
inet addr:203.26.128.22 Bcast:203.26.128.255
Mask:255.255.255.0

eth0:adi Link encap:Ethernet HWaddr 00:D0:B7:25:B1:55
inet addr:203.26.128.205 Bcast:203.26.128.255
Mask:255.255.255.0

0 new messages