Hi, I have a question: What are the limitations of routing between several IP addresses belonging to one interface? I have a box with one network interface, configured to three different IP addresses. It looks something like this: eth0 xxx.xxx.xxx.11 eth0:01 xxx.xxx.xxx.12 eth0:02 xxx.xxx.xxx.13 What I would like to do is allow eth0''s address to accept and open connections to any IP, while the addresses configured to eth0:01 and eth0:02 should be able to also connect wherever they like, incoming connections however should be limited to those coming from xxx.xxx.xxx.11. The idea here is to restrict access to a couple of virtual servers (using Linux Vserver) which use the last two IPs. My current (to me the most likely working) configuration looks something like this: /etc/shorewall/zones: net Net The Internet /etc/shorewall/interfaces: net eth0 xxx.xxx.xxx.255 multi /etc/shorewall/params: REF=net:xxx.xxx.xxx.11 VS1=net:xxx.xxx.xxx.12 VS2=net:xxx.xxx.xxx.13 /etc/shorewall/rules: ACCEPT all $REF all ACCEPT $REF all all ACCEPT $VS1 all all ACCEPT $VS2 all all ACCEPT fw net all Now this configuration has the only effect that I can''t connect to the server from outside. My knowledge of firewalling is not yet the greatest, so I am willing to get back to studying documentation if my setup is fundamentally flawed. But just in case it is simply not possible to achieve what I had in mind, I''d like to know and research other options. Thanks for any pointers. Greetings, Dietmar -- The less time planning, the more time programming.
On Tue, 14 Jan 2003 14:21:25 +0100 Dietmar Lang <dietmar@wohnheim.fh-wedel.de> wrote:> Hi, > > I have a question: What are the limitations of routing between several > IP addresses belonging to one interface? > > I have a box with one network interface, configured to three different > IP addresses. It looks something like this: >well, I used vserver a lot and this is roughly how I do it. Note that this is a rather unorthodox way of doing things and you are probably shooting yourself in the foot. Assume I have a subnet 192.168.0.0/24 of vservers on a single machine, and I have 1 vserver running httpd. (say 192.168.0.1, hence 192.168.0.1:80 must be visible to world) /etc/shorewall/interfaces net ppp0 detect norfc1918,tcpflags,routefilter dmz lo detect /etc/shorewall/zones net Net Internet dmz DMZ DMZ /etc/shorewall/hosts dmz lo:192.168.0.0/24 (I think this is optional) httpd lo:192.168.0.1 /etc/shorewall/rules (partial) DNAT net dmz:192.168.0.1 tcp 80 ACCEPT net fw tcp 80 /etc/shorewall/OUTPUT iptables -A OUTPUT -o lo -j lo_in That''s about it, I might have missed something but you get the idea.