Lars wrote on 27/10/2005 22:32: > I got a Sarge server, where one of the NIC is divided into a couple of > virtuelle NIC's. > > # eth1 - master (172.16.0.0/27) > # eth1:1 - proxy (172.16.0.0/27) > # eth1:2 - dns (172.16.0.0/27) > # eth1:6 - file (172.16.0.32/29) > > LAN_NET='172.16.0.0/27' > SERVICE_NET='172.16.0.32/29' > > But i'm having problems getting the forwards/input of the iptables > right. How does Debian react to the virtuel NIC's exactly? When i allow > INPUT on the file-nic i can't get a connection. >From which IP to which IP are you trying to connect? > But when i remove the > "-d" switch, every thing works flawless. So is the Master (Primary) NIC > still needed? > iptables -A INPUT -p tcp -s $LAN_NET -d $FILE_NIC -m multiport --dport > 135,137,138,139 -j ACCEPT What is $FILE_NIC set to? > The same with Bind, I would like it to used 172.16.0.3, but i cant (you said 1721.6.0.3, but I corrected that to what you probably meant) > specify that IP. > iptables -A INPUT -p tcp -s $LAN_NET --dport 53 -j ACCEPT #DNS You realize that DNS via TCP is usually only used for transfers and nslookup? "Normal" requests are sent via UDP (same port though). That's a problem I also regularly run into even though I should know better. > Genetally is not a problem, i just dont define the destination. But in > principle i dont open more than needed. Which is a good principle. cu, sven
Attachment:
signature.asc
Description: OpenPGP digital signature