Mageia forum

[mackowiakp]

I have two IP addresses on my physical interface eth. Lets say 192.168.10.7 and 192.168.0.7. So it works. But I use application, working on the only one of this addresses on port - lets say 10000. It is setup in this application internally to work on address 192.168.0.7. It is not possible to assign in application setup to work on both addresses.
How can I configure IP subsystem to "see" my aplikation working on port 10000 with IP Address 192.168.10.7 /
Any idea?

[doktor5000]

How did you assign the IP adresses to the interface? Using aliases?

I'd just create a new loopback interface with that IP adress or add an alias to an existing loopback/localhost interface, and then let that application bind to localhost.

[mackowiakp]

I partially resolved problem using iptables

Code: Select all

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 192.168.10.7 --dport 12000 -j DNAT --to 192.168.0.7:12000

So port 12000 can be available on both IP address 192.168.0.7 (eth0) - (first, native address for application) - and on secondary address 192.168.10.7. (eth0:0).
But now I want to block all traffic except port 12000 on IP address 192.168.10.7. I want only port 12000 to be available at this address from outside world.
Can You help me to create such additional rule? Sorry, but I am not iptables expert

[doktor5000]

Sorry can't help with iptables, even less as I didn't understand what you're trying to achieve at all. But maybe someone else understands and will help

[mackowiakp]

OK. No problem. I am right now googling, googling....

[doktor5000]

Why are you using the MASQ command? You don't need it and it could open a security hole.

Your second command will do what you want to do.

In order to block all other traffic on the eth0:0 port, this rule on the INPUT filter table should do:

Code: Select all

iptables -A INPUT -d 192.168.10.7 -j DROP

You might also want to filter outbound traffic:

Code: Select all

iptables -A OUTPUT -p tcp -s 192.168.10.7 --sport 12000 -j ACCEPT
iptables -A OUTPUT -s 192.168.10.7 -j DROP

[mackowiakp]

OK. THX. But I have problem with secondary IP address by itself at this moment. I have in /etc/sysconfig/network-scripts two files as definition of IP addressees and related parameters of the same physical eth interface - eth0 and eth0:0 ;

For interface eth0:

Code: Select all

DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.0.7
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
GATEWAY=192.168.0.1
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=no
USERCTL=yes
DNS1=194.204.159.1
DNS2=217.98.63.164
RESOLV_MODS=no
LINK_DETECTION_DELAY=6
IPV6INIT=no
IPV6TO4INIT=no
ACCOUNTING=no
NM_CONTROLLED=yes

And for interface eth0:0

Code: Select all

DEVICE=eth0:0
BOOTPROTO=static
IPADDR=192.168.10.7
NETMASK=255.255.255.0
NETWORK=192.168.10.0
BROADCAST=192.168.10.255
GATEWAY=192.168.10.7
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=no
USERCTL=yes
DNS1=194.204.159.1
DNS2=217.98.63.164
RESOLV_MODS=no
LINK_DETECTION_DELAY=6
IPV6INIT=no
IPV6TO4INIT=no
ACCOUNTING=no
NM_CONTROLLED=yes

It works good in local network. But when I try to ping any host in Internet, DNS subsystem rapports an error. So no host in Internet can be reach via its DNS name.
What is my error in my config files. The first config file is original, created by the system itself.
Any idea?

[jiml8]

I'm not sure what you are asking here, but if you are referring to your 192.168.10.7 interface, that is totally blocked from the internet (and everyplace else) except for tcp packets on port 12000 if you use the iptables rules I provided.

[mackowiakp]

At this moment, I turn off all iptables rules. So I use "clean" configuration of one physical interface eth with two IP addressees - primary (192.168.0.7) defined by file:

Code: Select all

/etc/sysconfig/network-scripts/ifcfg-eth0

and secondary (192.168.10.7) defined by file:

Code: Select all

/etc/sysconfig/network-scripts/ifcfg-eth0:0

The contents of both files are listed in previous post.

So I try to run, for example, such command:

Code: Select all

[root@media network-scripts]# nslookup www.playboy.com
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached

And system rapports an error and DNS can not resolve name "www.playboy.com ". And any other too.

So I think that I have an error in configuration of secondary IP address. Notice that both IP addresses are located in different IP addressing segments. The question is, what I am doing wrong?
I have to tell once more. At this moment I flush all iptables rules.
Any idea?

UPDATE !

"route" shows default gateway as 192.168.10.7 - it is secondary IP not "basic" primary.

[doktor5000]

Post the entire contents of the response to the following commands here:

Code: Select all

route
ifconfig
iptables -L
iptables -t nat -L

Then we'll see.

[doktor5000]

Please next time use code tags as explained in ftp://ftp5.gwdg.de/pub/linux/mandriva/m ... e_tags.ogv

[mackowiakp]

OK.

But I find out workaround to resolve may problem with secondary IP address and iptables.

I remove file /etc/sysconfig/network-scripts/ifcfg-eth0:0 and place such line in Linux startup file before loading iptables rules:

Code: Select all

ifconfig eth0:0 192.168.10.7 netmask 255.255.255.0

That is all. Both secondary address and iptables works good!