1748128 Members
3920 Online
108758 Solutions
New Discussion юеВ

IPCHAINS

 
Bill Whittaker
Advisor

IPCHAINS

Need info on IPchains. I want to forward the packet to one of two locations based on source address, AND destination address..help help
You will be assimilated. Resistance is futile
4 REPLIES 4
Joshua K
New Member

Re: IPCHAINS

heres a few commands that would help you
from the IPCHAINS HOWTO
by Rusty Russell

#
#ipchains -A input -i ! lo -j DENY
#ipchains -A output -i ! lo -j DENY
#ipchains -A forward -j DENY
#

that sets up to deny all except loopback...
then from there you want to setup new chains to make your forwarding more managable...

#
#ipchains -N one-host
#ipchains -N second-host
#

from there you want to start doing some filtering based on the source or destination addresses...
to filter the source you use the -s like

#
#ipchains -s 190.23.12.0/15 -i ppp0 -j one-host
#

that would send all packets from the addresses (190.23.12.0 - 190.23.12.15) across the ppp0 interface to the chains group one-host

#
#ipchains -d 197.23.12.0/15 -i ppp0 -j one-host
#

that would do the same except filter based on the dest. address

if you need more detailed information check out the ipchains howto, you can find it online at http://www.linux.org/docs/ldp/howto/IPCHAINS-HOWTO.html
its a great help in understanding ipchains
Ale is good any time of day.
Albert E. Whale, CISSP
Honored Contributor

Re: IPCHAINS

Bill,

Has your problem been resolved, or do you need further assistance?

Sr. Systems Consultant @ ABS Computer Technology, Inc. http://www.abs-comptech.com/aewhale.html & http://www.ancegroup.com
Bill Whittaker
Advisor

Re: IPCHAINS

Albert,
Still having some trouble. This is the deal
I support 57 public libraries. They connect to my network via a private frame relay network to access their holdings / patron database, as well as to get connected to the internet. One of the biggest reasons for the libarary patrons to go to the net is to research. To aid in this the libraries subscribe to on line databases, (Worldbook, Gale, Ebsco etc) The trouble is that they don't all subscribe to the same ones.
What I wanted to do is.. Have incoming packets point at the IPchains box (Which is inside a PIX firewall. If the destination address is allowed to go to the source address (ie they subscribe to that database) they would be sent to the PIX firewall, but with the IPchains IPaddress (This would be statically translated to a global address). This address would be translated to a registered address by the PIX. The database would verify the address and authenticate them. If they don't subsribe, I would want the IPchains box to send the packet to the PIX with the orginal address. The pix will then give it a random natted address. This address will fail authentication at the database, but they will be able to get whatever free services are availble ... I think it will work, I just can't seem to figure out the IPchains howto. ITs pretty confusing
You will be assimilated. Resistance is futile
Albert E. Whale, CISSP
Honored Contributor

Re: IPCHAINS

Bill,

This is a little more complex than I would expect everyone else to be interested in. Please let me know if there is any interest in continuing this quest off-line.

Talk to you soon (aewhale@hky.com)
Sr. Systems Consultant @ ABS Computer Technology, Inc. http://www.abs-comptech.com/aewhale.html & http://www.ancegroup.com