Larry Price wrote:
> On Fri, 31 Jan 2003, Bob Miller wrote:
>
> > Tell us what problem you're trying to solve, and I'll (try to)
> > tell you why virtual interfaces aren't part of the solution.
>
> the problem:
>
> a host has a single physical interface eth0
> and answers on two ip addresses (10.0.0.2 and 10.0.0.3)
>
> 10.0.0.2 is supposed to answer on ports 21,22,79 and allow outbound
> traffic and existing connections for any other protocol
>
> 10.0.0.3 is supposed to answer on port 80 and not for anything else
>
> ICMP for both addresses is only available from within the 10.0.0.0/25
> segment
You can do all that based on IP address, not interface.
For example...
# HTTP is the only TCP traffic we accept at 10.0.0.3.
iptables -A INPUT \
--in-interface eth0 \
--protocol tcp \
--destination 10.0.0.3 \
--destination-port ! 80 \
DROP
iptables is a very lowlevel way to filter traffic. We need something
higher-level.
--
Bob Miller K<bob>
kbobsoft software consulting
http://kbobsoft.com [EMAIL PROTECTED]
_______________________________________________
Eug-LUG mailing list
[EMAIL PROTECTED]
http://mailman.efn.org/cgi-bin/listinfo/eug-lug
