Larry Price wrote: > On Fri, 31 Jan 2003, Bob Miller wrote: > > > Tell us what problem you're trying to solve, and I'll (try to) > > tell you why virtual interfaces aren't part of the solution. > > the problem: > > a host has a single physical interface eth0 > and answers on two ip addresses (10.0.0.2 and 10.0.0.3) > > 10.0.0.2 is supposed to answer on ports 21,22,79 and allow outbound > traffic and existing connections for any other protocol > > 10.0.0.3 is supposed to answer on port 80 and not for anything else > > ICMP for both addresses is only available from within the 10.0.0.0/25 > segment
You can do all that based on IP address, not interface. For example... # HTTP is the only TCP traffic we accept at 10.0.0.3. iptables -A INPUT \ --in-interface eth0 \ --protocol tcp \ --destination 10.0.0.3 \ --destination-port ! 80 \ DROP iptables is a very lowlevel way to filter traffic. We need something higher-level. -- Bob Miller K<bob> kbobsoft software consulting http://kbobsoft.com [EMAIL PROTECTED] _______________________________________________ Eug-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug