[Firehol-support] Question about virtual interface

Phil Whineray phil at sanewall.org
Mon Apr 29 18:47:25 BST 2013 

Hi Tony

On Fri, Apr 26, 2013 at 06:46:35PM -0400, Tony Peña wrote:
> I'm wondering how can i setup a firehol.conf with 1 physical and virtual at
> same time
> I got now a server outside of my country and is very difficult if i try to
> setup iptables security and lost my conex...
> 
> I used firehol before, with normal ethernets... eth0 and eth1, but never
> with eth0:1,...

The first thing to understand is that eth0:1 is not really a virtual
ethernet device. The eth0:1 is just a naming convention so that tools
such as ifconfig can see multiple IP addresses on an interface. Newer
tools like 'ip' do not need it.

> So..
> 
> i got this...
> 
> eth0 and eth0:1 to into server from
> 
> internet.......cisco....[real-wan-ip] nat inside eth0....10.x.y.z
> internet.......same cisco [real-wan-ip+1] nat inside eth0:1 ....10.x.y.z+1
> 
> if i try
> 
> interface eth0 phy-net
>      policy drop
>      server icmp accept
>      server ssh accept
>      cliente all accept
> 
> interface eth0:1 virt-net
>     policy drop
>     server icmp accept
>     server ssh accept
>     client all accept
>
> i can't hit with icmp / ssh ping to eth0 or eth0:1...

Is this your actual config? You have a typo "cliente" in the first part.

My main reason for asking is that the expected behaviour from this
configuration is that the rules for phy-net apply to everything and
those for virt-net have no effect.

> for other reason i need to use this eth0:1 to can use other service running
> on there.

I do not believe this is possible. The underlying netfilter/iptables does
not have distinct interfaces with the different names, just eth0 with
multiple IP addresses.

> any help will be appreciated...
> my server is only supported now by fail2ban, to try keeping out attacks...
> missing my firehol.conf to defender more harder..

I think you must just use the interface eth0 and any rules that you want
to be specific you must control using src/dst IP addresses.

Here are some other points of reference:
  http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html
  http://www.linuxquestions.org/questions/linux-security-4/iptables-and-virtual-interfaces-201220/
  http://serverfault.com/questions/245208/iptables-with-virtual-interface
  http://comments.gmane.org/gmane.comp.security.firewalls.netfilter.general/42918

> question: if I type firehol try, and still can't commit the changes.. is
> very secure to recover my conex if before my ssh is restore because have
> now 0 rules applied ?

I'm afraid I'm not sure what you are asking. In my experience firehol try
has proven quite safe for most purposes.

Hope that helps
Phil
-- 
http://www.sanewall.org/
Sanewall - making sense of firewalling

More information about the Firehol-support mailing list