1

I am creating a new Virtual Interface: 

ifconfig eth0:0 123.123.22.22

The command netstat -tlnp returns something like this:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:50505         0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:7337          0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:3790            0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:6001            0.0.0.0:*               LISTEN      2450/Xvnc4      
tcp        0      0 0.0.0.0:6002            0.0.0.0:*               LISTEN      2626/Xvnc4      
tcp        0      0 192.168.2.77:22         0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:3001          0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:52698         0.0.0.0:*               LISTEN      3488/plugin_host
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      -               
tcp6       0      0 ::1:7337                :::*                    LISTEN      -               
tcp6       0      0 :::5901                 :::*                    LISTEN      2450/Xvnc4      
tcp6       0      0 :::5902                 :::*                    LISTEN      2626/Xvnc4      
tcp6       0      0 ::1:631                 :::*                    LISTEN      -               
tcp6       0      0 ::1:5432                :::*                    LISTEN      -               
tcp6       0      0 ::1:6010                :::*                    LISTEN      -

So, if I make nmap for both virtual and physical interface the result will be the same (This is explained with the value of "Local Address" in netstat). I tried to close the ports (5901,5902,6001,6002) in this new virtual interface. The nmap for both interfaces:

PORT     STATE SERVICE
5901/tcp open  vnc-1
5902/tcp open  vnc-2
6001/tcp open  X11:1
6002/tcp open  X11:2

Command:

sudo iptables -A INPUT -i eth0:0 -p tcp --dport 5901 -j DROP

The port will be unreachable, but open (for nmap). Is there any way to prevent eth0:0 from listening for traffic from 0.0.0.0?

If a host has two IP addresses, 192.168.1.1 and 10.1.2.1, and a server running on the host listens on 0.0.0.0, it will be reachable at both of those IPs. (wiki)

Goals:

  • Expose new Interfaces in LAN, and change the Mac Address (will look like another machine)
  • Bind docker containers to the new recently created Interfaces, exposing services in certain ports.
jcardosovtl
  • 13
  • Set default rule to drop all and then open up the ports you actually need? Seems almost like IP tables is listening to that port to be able to drop it, and if you were dropping all, maybe it wouldn't show on nmap? – Jeter-work Dec 05 '17 at 16:24
  • @Xalorous My idea was to create a new interface without interfering with the "actual machine conf". I could do this creating VM's, but I am seeking a more efficient way. – jcardosovtl Dec 05 '17 at 17:01
  • 1
    eth0:0 is not a new interface, it is an alias for eth0, with a secondary address. – Johan Myréen Dec 05 '17 at 18:29
  • @JohanMyréen I can use https://unix.stackexchange.com/questions/152331/how-can-i-create-a-virtual-ethernet-interface-on-a-machine-without-a-physical-ad but the problem will prevail. – jcardosovtl Dec 05 '17 at 18:56
  • Please describe what you actually want to achieve: Why do you need "a new interface without interfering with the actual machine conf"? What do you want to do with it? Network namespaces could be what you are looking for. A second IP address on an existing interface is definitely not it. – dirkt Dec 05 '17 at 23:59
  • @dirkt edited with goals. I already used modprobe and the result is the same – jcardosovtl Dec 06 '17 at 10:35

1 Answers1

1

To simulate a second (virtual) ethernet card with a different MAC on top of an existing network card, and from a different namespace (e.g. a container), you need a macvlan interface.

Here are instructions how to use them in a Docker container.

You seem to be a bit confused about the principles behind some of the networking features you tried. Maybe the following helps:

  • eth0:0 is just the old way the ifconfig tool uses to handle a second IP address on some interface. If you use a newer tool like ip addr, it will just show the second IP address on eth0. This only applies to OSI Level 3, so there's no different MAC address, it doesn't interact with network namespaces like in docker, and it's generally a pain to use, because you must make sure every application properly binds to one of the addresses. And this binding is required to prevent an application to listen on 0.0.0.0; there's no way to generically prevent "eth0:0 from listening for traffic from 0.0.0.0" (ignoring that the sentence in that form doesn't make sense at all; interfaces are not listening, applications are listening on certain IP addresses and/or certain interfaces by binding).

  • iptables allows you to do packet filtering, for firewalling, NAT etc. It doesn't allow you to change MAC addresses, to control which applications listens on which address, etc.

  • "I already used modprobe" also makes no sense: modprobe is a way to load kernel modules, if you can't say which kernel module you want to use, for what purpose, and why it isn't loaded automaticaly in the first place, this sentence conveys no information.

Also, please read up on the XY Problem: When you want to do X, and think you may need to do Y to get to X, always ask about X. Then mention that you tried Y. In a lot of cases (like here) Y is totally wrong.

dirkt
  • 32,309