Iptables is not only the input chain. I use label to maintain trafic Flow in Nat table.
Cordialement, Yannick MOLINET Envoyé depuis mon mobile. ________________________________ De : Bjørn Mork <[email protected]> Envoyé : jeudi 26 septembre 2019 20:11 À : Yannick MOLINET Cc: Thomas Haller; [email protected] Objet : Re: Network Alias Yannick MOLINET <[email protected]> writes: > In some case, i use iptables rules based on device... Using > label. Multiple IP don't work in this case. Do labels work in this case? I tried this: # ifconfig wlan0:0 192.168.2.77/24 # ifconfig wlan0:1 192.168.2.78/24 # iptables -A INPUT -i wlan0:0 -j LOG # iptables -A INPUT -i wlan0:1 -j LOG # iptables -A INPUT -i wlan0 -d 192.168.2.77 -j LOG # iptables -A INPUT -i wlan0 -d 192.168.2.78 -j LOG ending up with: # ip addr show dev wlan0 4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 44:85:00:11:26:e6 brd ff:ff:ff:ff:ff:ff inet 148.122.252.4/29 brd 148.122.252.7 scope global dynamic noprefixroute wlan0 valid_lft 426130sec preferred_lft 426130sec inet 192.168.2.77/24 brd 192.168.2.255 scope global wlan0:0 valid_lft forever preferred_lft forever inet 192.168.2.78/24 brd 192.168.2.255 scope global secondary wlan0:1 valid_lft forever preferred_lft forever inet6 2001:4641:0:2:7627:374e:db74:e353/64 scope global dynamic noprefixroute valid_lft 86356sec preferred_lft 14356sec inet6 fe80::b0c3:cd67:ca54:e36f/64 scope link noprefixroute valid_lft forever preferred_lft forever or if you prefer: # ifconfig wlan0:0 wlan0:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.2.77 netmask 255.255.255.0 broadcast 192.168.2.255 ether 44:85:00:11:26:e6 txqueuelen 1000 (Ethernet) # ifconfig wlan0:1 wlan0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.2.78 netmask 255.255.255.0 broadcast 192.168.2.255 ether 44:85:00:11:26:e6 txqueuelen 1000 (Ethernet) And 4 LOG rules: # iptables -nvL INPUT Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2705 218K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set f2b-sshd src reject-with icmp-port-unreachable 0 0 LOG all -- wlan0:0 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 0 0 LOG all -- wlan0:1 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 0 0 LOG all -- wlan0 * 0.0.0.0/0 192.168.2.77 LOG flags 0 level 4 0 0 LOG all -- wlan0 * 0.0.0.0/0 192.168.2.78 LOG flags 0 level 4 I'd now expect packets arriving at 192.168.2.77 or 192.168.2.78 to be counted in two rules each. But pinging 192.168.2.77 from the other end results in: root@miraculix:/tmp# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2705 218K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set f2b-sshd src reject-with icmp-port-unreachable 0 0 LOG all -- wlan0:0 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 0 0 LOG all -- wlan0:1 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 4 336 LOG all -- wlan0 * 0.0.0.0/0 192.168.2.77 LOG flags 0 level 4 0 0 LOG all -- wlan0 * 0.0.0.0/0 192.168.2.78 LOG flags 0 level 4 Nothing ever matches the aliases. I could be wrong, but I don't think iptables will consider labels. It matches on netdev only. Or did I do something wrong here? Bjørn > Envoyé depuis mon mobile. > ________________________________ > De : Thomas Haller <[email protected]> > Envoyé : samedi 21 septembre 2019 16:40 > À : Yannick MOLINET; [email protected] > Objet : Re: Network Alias > > On Mon, 2019-09-16 at 06:04 +0000, Yannick MOLINET wrote: >> Hi all, >> >> I’m searching how to add an network alias (and not a secondary ip) on >> a network interface, like eth0:0 or ens3:1 or dummy0:4, with Network >> Manager (nmcli). > > Hi, > > > These "aliases" are implemented by kernel by attaching a "label" to the > address (IFA_LABEL). > This is what you see in the deprecated `ifconfig` command line tool. But > beyond that, the label is > not really useful (is it?) and only partly supported by NetworkManager. But > multiple IP addresses work, > of course. > > Why do you need the label? Just configure multiple IP addresses: > > $ nmcli connection modify "$PROFILE" ipv4.addresses > "192.168.5.100/24,192.168.6.100/24" > $ nmcli connection modify "$PROFILE" +ipv4.addresses "192.168.7.100/24" > > > Note that the ifcfg-rh settings plugin of NetworkManager supports the > label, but the keyfile plugin does not. That's > a severe limitation, to the point where it's not useful. Also, nmcli > does not support the label... > > > > best, > Thomas > _______________________________________________ > networkmanager-list mailing list > [email protected] > https://office365.eu.vadesecure.com/safeproxy/v3?f=O6bC-AXOI2bts7BFEppdnqgJlVrlv2svw9JgZyU2GpE&i=O5oDBjlIbXFx_WQCpNiLsMqjGH7iPCKseHJmZ-kmm1XUmTJ0LZqNBsZ-g9zKWWljaDpJPZ_UKqCDgu9AHZvEZA&k=pe2g&r=-ipHikBaoLwHPVu2Rw2Jo-N3vgDvfCsoCpgYlWUaULireMRCbURXRWES10MTr-0J&u=https%3A%2F%2Fmail.gnome.org%2Fmailman%2Flistinfo%2Fnetworkmanager-list
_______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
