Find the answer to your Linux question:
Results 1 to 9 of 9
Hi friends, I have been using the IPtables firewall with Fedora 13 Goddard Currently, I have an IPTables script in the rc.local file The script starts like this: #!/bin/sh touch ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2013
    Posts
    23

    IPTables Firewall Multiple Network Interfaces Question


    Hi friends,

    I have been using the IPtables firewall with Fedora 13 Goddard

    Currently, I have an IPTables script in the rc.local file

    The script starts like this:

    #!/bin/sh
    touch /var/lock/subsys/local

    -------

    Then I am configuring about 10 external ip addresses like so:

    -------

    ifconfig eth0:1 199.199.199.199 netmask 255.255.255.199
    route add -host 199.199.199.199 dev eth0


    ifconfig eth0:2 199.199.199.200 netmask 255.255.255.199
    route add -host 199.199.199.200 dev eth0



    ---------------

    1) When I had only 2 or 3 ip addresses it used to load fine.

    But now that I have 10 ip addresses, on boot up - it doesn't configure all the ip addresses.

    I have to open up a shell and type those in manually - then it works fine.

    2) If the firewall is unplugged on eth0, it seems to lose the interface settings and I have to drop all rules, re-run the above command, followed by my iptables script.



    Is there a way to configure the firewall properly on reboot and ensure that even if the upstream router or the network cable is unplugged, it seamlessly recovers from this event ?

    Thank you for your assistance.

  2. #2
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    899
    I don't know about Fedora 13, but in Fedora 15 and forward you setup interface files in /etc/sysconfig/network-scripts/ifcfg-ethx
    where x is something like 0:0
    There is a wealth of information online as far as how to setup those interface files. There is a similar convention for routes.

  3. #3
    Just Joined!
    Join Date
    Oct 2013
    Posts
    23

    Follow Up question

    Quote Originally Posted by mizzle View Post
    I don't know about Fedora 13, but in Fedora 15 and forward you setup interface files in /etc/sysconfig/network-scripts/ifcfg-ethx
    where x is something like 0:0
    There is a wealth of information online as far as how to setup those interface files. There is a similar convention for routes.

    I did find the network-scripts for Fedora 13 - and will try that out tonight.

    Is there any problem with adding routes through rc.local ?

    Some people said its 'ugly' - but is there any reason it won't work ?

    Also, is there any restriction on the maximum number of IPs I can configure per network adapter in the network-scripts directory?


    Thanks !

  4. #4
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    899
    Yes, the problem is those routes are only loaded when the system first boots up. By creating the proper config files, the interfaces will add routes, etc, when networking is started and stopped, as well as when interfaces are brought on or offline.

    This is also the official 'Red Hat' way of doing things, so other administrators would be able to quickly troubleshoot your system.

  5. #5
    Just Joined!
    Join Date
    Oct 2013
    Posts
    23
    Quote Originally Posted by mizzle View Post
    Yes, the problem is those routes are only loaded when the system first boots up. By creating the proper config files, the interfaces will add routes, etc, when networking is started and stopped, as well as when interfaces are brought on or offline.

    This is also the official 'Red Hat' way of doing things, so other administrators would be able to quickly troubleshoot your system.

    Ok thanks - I'll do it the correct way as you recommend.


    I was checking in /etc/sysconfig/network-scripts/ and couldn't find the route-eth0 file.

    Question 1: If I create this file, will it work ?


    Question 2:

    I am adding lines as follows (to route-eth0):
    ADDRESS0=xxx.xxx.xxx.xxx
    NETMASK0=xxx.xxx.xxx.xxx
    GATEWAY0=xxx.xxx.xxx.xxx
    ....
    ADDRESSN=xxx.xxx.xxx.xxx
    NETMASKN=xxx.xxx.xxx.xxx
    GATEWAYN=xxx.xxx.xxx.xxx


    Do you know if it is allowed to leave a carriage return between the entries (for readability) ?

    Question 3

    I am creating ifcfg-eth0:1 ... eth0:N, to register the network interface using the following:

    DEVICE=eth0:1
    BOOTPROTO=none
    ONPARENT=yes
    IPADDR=xxx.xxx.xxx.xxx
    NETMASK=xxx.xxx.xxx.xxx
    GATEWAY=xxx.xxx.xxx.xxx


    Do I need to create a separate file for each interface or can this be done in one file ?

  6. #6
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    899
    1) Yes, you must create the files. As long as the options are correct, they should work fine.
    2) You can put as many blank lines as you like, AFAIK
    3) Yes, you have to create a new file for each interface.

  7. #7
    Just Joined!
    Join Date
    Oct 2013
    Posts
    23
    Quote Originally Posted by mizzle View Post
    1) Yes, you must create the files. As long as the options are correct, they should work fine.
    2) You can put as many blank lines as you like, AFAIK
    3) Yes, you have to create a new file for each interface.

    Ok, I am going to try it and let you know how it went in a couple of hours.

    Last question.....do you see a problem with putting the iptables script directly in rc.local ?

  8. #8
    Just Joined!
    Join Date
    Oct 2013
    Posts
    23
    It didn't work

    I tried for quite a long time. Based on the examples given by others, it's pretty straight forward to create the virtual interface like eth0:1, eth0:2

    I tried many permutations, starting with copying eth0, into eth0:1 and modifying the ipaddress.

    Then I invoked "service network restart"

    This I checked both in the GUI network interface and also through ifconfig to see if eth0:1 was getting created.

    Currently, I have a file named: ifcfg-eth0:1 in the /etc/sysconfig/network-scripts directory.

    Below are some of the options I tried setting:


    DEVICE=eth0:1
    BOOTPROTO=none (also tried static)
    IPADDR= (also tried IPADDR0 like it says in ifcfg-eth0)
    ONBOOT=yes
    ONPARENT=yes (also left this out)
    GATEWAY / GATEWAY0
    NAME="System eth0:1"
    DEFROUTE=yes (also left it out)

    HWADDR=
    UUID=
    PREFIX=



    ----------

    In many of the examples, it's really simple, I substituted this example with my own info, but on service network restart, I just was not able to see eth0:1

    only saw, eth0, eth1,lo

    DEVICE=eth0:1
    BOOTPROTO=static
    ONBOOT=yes
    TYPE=Ethernet
    IPADDR=172.16.16.126
    NETMASK=255.255.255.224
    GATEWAY=172.16.16.100
    HWADDR=00:0C:29:28:FD:4C

    ---

    This is what my ifcfg-eth0 file looks like:

    DEVICE=eth0
    ONBOOT=yes
    TYPE=Ethernet
    BOOTPROTO=none
    DNS1=xxx.xxx.xxx.4
    DEFROUTE=yes
    IPV4_FAILURE_FATAL=yes
    IPV6INIT=no
    NAME="System eth0"
    UUID=xxxxx
    DNS2=xxx.xxx.xxx.6
    HWADDR=xx
    IPADDR0=xxx.xxx.xx.242
    PREFIX0=28
    GATEWAY0=xxx.xxx.xx.241



    Any help is much appreciated.
    Last edited by DwightK; 10-17-2013 at 07:31 AM. Reason: added further information

  9. #9
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    899
    Try removing the HWADDR and GATEWAY lines, reboot, and see if the interface comes up.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •