topic Re: IPCHAINS in Operating System - Linux

IPCHAINS

Bill Whittaker — Mon, 25 Sep 2000 18:48:11 GMT

Need info on IPchains. I want to forward the packet to one of two locations based on source address, AND destination address..help help

Re: IPCHAINS

Joshua K — Tue, 26 Sep 2000 20:53:23 GMT

heres a few commands that would help you
from the IPCHAINS HOWTO
by Rusty Russell

#
#ipchains -A input -i ! lo -j DENY
#ipchains -A output -i ! lo -j DENY
#ipchains -A forward -j DENY
#

that sets up to deny all except loopback...
then from there you want to setup new chains to make your forwarding more managable...

#
#ipchains -N one-host
#ipchains -N second-host
#

from there you want to start doing some filtering based on the source or destination addresses...
to filter the source you use the -s like

#
#ipchains -s 190.23.12.0/15 -i ppp0 -j one-host
#

that would send all packets from the addresses (190.23.12.0 - 190.23.12.15) across the ppp0 interface to the chains group one-host

#
#ipchains -d 197.23.12.0/15 -i ppp0 -j one-host
#

that would do the same except filter based on the dest. address

if you need more detailed information check out the ipchains howto, you can find it online at http://www.linux.org/docs/ldp/howto/IPCHAINS-HOWTO.html
its a great help in understanding ipchains

Re: IPCHAINS

Albert E. Whale, CISSP — Mon, 02 Oct 2000 16:39:57 GMT

Bill,

Has your problem been resolved, or do you need further assistance?

Re: IPCHAINS

Bill Whittaker — Mon, 02 Oct 2000 19:45:20 GMT

Albert,
Still having some trouble. This is the deal
I support 57 public libraries. They connect to my network via a private frame relay network to access their holdings / patron database, as well as to get connected to the internet. One of the biggest reasons for the libarary patrons to go to the net is to research. To aid in this the libraries subscribe to on line databases, (Worldbook, Gale, Ebsco etc) The trouble is that they don't all subscribe to the same ones.
What I wanted to do is.. Have incoming packets point at the IPchains box (Which is inside a PIX firewall. If the destination address is allowed to go to the source address (ie they subscribe to that database) they would be sent to the PIX firewall, but with the IPchains IPaddress (This would be statically translated to a global address). This address would be translated to a registered address by the PIX. The database would verify the address and authenticate them. If they don't subsribe, I would want the IPchains box to send the packet to the PIX with the orginal address. The pix will then give it a random natted address. This address will fail authentication at the database, but they will be able to get whatever free services are availble ... I think it will work, I just can't seem to figure out the IPchains howto. ITs pretty confusing

Re: IPCHAINS

Albert E. Whale, CISSP — Mon, 02 Oct 2000 20:13:59 GMT

Bill,

This is a little more complex than I would expect everyone else to be interested in. Please let me know if there is any interest in continuing this quest off-line.

Talk to you soon (aewhale@hky.com)