0

I have an ubuntu box with a single NIC. In order to bind a number of services (like apache, dnsmasq, etc), I have bound them to different alias's (e.g. eth0:0, etc), some of which are on completely different IP ranges. Since all my client computers are using my ubuntu box as their default gateway, I was wondering if this iptables rule was necessary:

iptables --append FORWARD --in-interface eth0:0 -j ACCEPT (this is facing the clients on 10.2.0.0/24, while this box communicates with my DSL router on 192.168.1.1 /24). I have already enabled IP forwarding, etc.

Basically, I want to know if forwarding is required between aliases that are on different IP ranges (I presume its required between multiple, separate NIC's but keep in mind I only have one.

I have added this iptables rule for my outbound interface:

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

Thanks

Jared

Improve this question

1 Answer 1

Reset to default
0

No, strictly speaking you do not need that. You have already made clear, by presumably allowing IPv4 forwarding in sysctl, and by the MASQUERADE rule, what you want to do with packets originating from the 10.2.0.0/24 subnet.

You would need the rule if you were to apply a very strict policy, like everything which is not explicitly permitted is prohibited, or, in other words, if you were to use, as your last iptables rule, 

  iptables -t filter -j DROP

If you do not use this, or if you do not use policy DROP, then you do not need to explicitly allow forwarding by means of that rule because your kernel is already instructed as to how to proceed. But if you are being strict, and your packets run the risk of hitting the rule aboce, then you would better use it.

BTW, do not use ip aliases, they are seriously deprecated. If you already have eth0 up and running, the following command

  ip addr add 10.2.0.1/24 dev eth0

will add the new address, in a different subnet, to the same NIC. You could see this with

  ip addr show

but not with ifconfig, another obsolete tool which you ought to drop.

Improve this answer
8
  • Excellent, really appreciate it! I will definitely start using ip addr, didnt even know about it. Just a little clarification though, I set up darkstat to capture statistics from eth0:0 (the interface facing my client PCs on 10.2.0.0/24). If I don't use aliases like I am doing, surely I wont be able to do this? I need to capture this before it hits 192.168.1.2 /24 (port facing router) as I have bound squid to that, which will anonmyize the source IPs (I want to see traffic per IP, hence why I am binding it to eth0:0. Am I missing something? Thanks for your time :)
    – Sgtmullet
    Commented May 23, 2014 at 9:34
  • @Sgtmullet I am not familiar with darkstat, however I am familiar with tcpdump and wireshark, which are just packet sniffers, like darkstat. In both of them you can give instructions to use eth0 ad a device, but restricting traffic to the IP 10.2.0.1. I venture to guess it should be possible to do the same in darkstat. In other words, you should be able to select the traffic not just on the basis of the interface but also on the basis of destination IP address.
    – MariusMatutiae
    Commented May 23, 2014 at 9:47
  • Makes sense :) Lastly, will those additional ip addresses (added to the existing adapter) stay there after reboot? If that is the case, I presume I will have to actually manually remove them if they are no longer needed?
    – Sgtmullet
    Commented May 23, 2014 at 10:31
  • No, they are not there after reboot. you can add the command above to /etc/rc.local, or, better still, you can modify the file /etc/network/interfaces as suggested in this post in a sister site, serverfault.com/questions/484730/how-this-aliasing-worked. Also, to delete the address in question, just issue the command: ip addr del 10.2.0.1/32 dev eth0. If you have an older version of iproute2, same command without 32.
    – MariusMatutiae
    Commented May 23, 2014 at 10:49
  • I find that if I add it to my /etc/network/interfaces and restart the networking, RTNETLINK complains "File exists". I only have a single default gateway set so this is rather confusing. If I follow your steps exactly, surely I shouldnt be getting an error when i run "/etc/init.d/networking restart"?
    – Sgtmullet
    Commented May 24, 2014 at 12:32

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .