Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IP Aliases and Firewall

Status
Not open for further replies.
mkraker

mkraker

Technical User
Jun 26, 2001
12
0
0
GB
I have a networkcard with a IP adress configured on it.

On this networkcard i defined 8 aliases.

2 of these aliases should be allowed through a firewall, the other 6 aliases not. The problem is with aliases, when i transmit a packet via a alias, the firewall will not detect the ipadress of the alias, but the ip adress of the networkcard.

So i cannot configure the firewall so that the aliases are allowed through the firewall.

Any suggestions how to solve this issue?

Thank you

MarkieMark
 
Sort by date Sort by votes
Maybe is better to ask you what you want to do?
WS is on linux or windows?
 
Upvote 0 Downvote
I'll ask the obvious question first, are you sure that the packets are leaving the AIX system with the alias IP? I mean have you captured packets and verified that they are?

If so, what kind of firewall are you dealing with? It is possible that the firewall is using anti-spoofing technology, which may match the MAC address in the packet with an ARP cache that is resolving to the base IP address (I don't know of any firewall that does this off hand, but it is possible to do).

A NAT server between you and the firewall should resolve your issues, but that may be overkill. Can you give us a rough idea of your network architecture?


pansophic
 
Upvote 0 Downvote
@pansophic

The packets are leaving the system with the ipaddress of the networkcard , not the alias. There is my problem, i want the alias ip address to be leaving the system.
That way, i can instruct the firewall that the alias ip adress is allowed through the firewall.


But is that possible?

thanks.
 
Upvote 0 Downvote
It is possible, but it may not be practical. You could use something like IP Tables or IP Chains to rewrite the packets as they leave your system. The problem that I see is that I don't know of any way to determine the application source of the IP packet. Therefore you would have to write one rule that says if the destination is local, use IP address A. If it is remote (based on an IP address mask) then rewrite the packet (IP Masquerading) with address B. If it is a specific remote IP address or range, rewrite with address C.

My IP Tables rule writing is quite dated, so you would probably need to post a question here about it, or do a search through the archives.

It should work, but it is a question of whether or not it will work the way that you want it to.


pansophic
 
Upvote 0 Downvote
I you wish to deny access to net some user of WS simple create hardware profiles without lan card. Or setup proxy server for filtering of trafic.
I don't know nothing about AIX but on linux can create script and set to runing on user log on for changing ip on interface also you can do this on win.

If you create this script can setup difrent ip for user's.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CryptoTuke
  • Locked
  • Question
Maximum buffer size on Winsock for sending one block of data over TCP / IP
Replies
1
Views
187
maybeimaleo
maybeimaleo
jmarkus
  • Locked
  • Question
Can I have a different private IP address which isn't on my router's subnet?
Replies
6
Views
154
sbcsu
sbcsu
Demon Monkey
  • Locked
  • Question
Whitelisting varying IP address?
Replies
2
Views
138
SamBones
SamBones
uuunnniiixxx
  • Locked
  • Question
Fieldbus vs TCP/IP
Replies
2
Views
146
meneerB
meneerB
TheFaz_
  • Locked
  • Question
Sending udp packets from fpga to the computer using Lwip tcp/ip stack using C programming
Replies
0
Views
136
TheFaz_
TheFaz_

Part and Inventory Search

Sponsor

Back
Top