Re: Write rule to a virtual interface

[Marc-Christian Petersen <m.c.p@gmx.net>]

On Thursday 20 February 2003 16:10, Ryan McAlister wrote:

Hi Ryan,

> iptables -A INPUT -i eth1 -p tcp --tcp-flags ALL NONE -j DROP
> iptables -A FORWARD -i eth1 -p tcp --tcp-flags ALL NONE -j DROP
> iptables -A INPUT -i eth1 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
> iptables -A FORWARD -i eth1 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
> iptables -A INPUT -i eth1 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
> iptables -A FORWARD -i eth1 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
> iptables -A INPUT -i eth1 -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
> iptables -A FORWARD -i eth1 -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
> iptables -A INPUT -i eth1 -p tcp --tcp-flags ACK,FIN FIN -j DROP
> iptables -A FORWARD -i eth1 -p tcp --tcp-flags ACK,FIN FIN -j DROP
> iptables -A INPUT -i eth1  -p tcp --tcp-flags ACK,PSH PSH -j DROP
> iptables -A FORWARD -i eth1 -p tcp --tcp-flags ACK,PSH PSH -j DROP
> iptables -A INPUT -i eth1 -p tcp --tcp-flags ACK,URG URG -j DROP
> iptables -A FORWARD -i eth1 -p tcp --tcp-flags ACK,URG URG -j DROP
> but if someone steath/syn scans a VIRTUAL interface on the firewall i.e.
> eth1:1 (which dnats to a webserver running behing the firewall) they can
> scan it no problem. I've tried using:
correct behaviour.

> -i eth1:1 but I get:
> Warning: weird character in interface `eth1:1' (No aliases, :, ! or *).
> Is there any way to write a rule to a virtual interface or any ideas on
> how to stop stealth/syn portscans going to servers behind the firewall?
you should either use "ip" to add IP's to an interface because aliases are 
deprecated (iproute command ip is) or don't use -i but the corresponding IP.

ciao, Marc