[lug] Help with ipchains
dradom at redback.com
Sun Nov 26 21:10:19 MST 2000
You'll want to use ipmasqadm for that. it will handle the redirections of
the port to another machine on the lan.
ipmasqadm portfw -a -P tcp -l $EXTERNALIP 80 -R 192.168.0.22 80
would redirect web traffic for example.
----- Original Message -----
From: "Phil Rasch" <pjr at ucar.edu>
To: <lug at lug.boulder.co.us>
Sent: Sunday, November 26, 2000 8:52 PM
Subject: [lug] Help with ipchains
> I now have a 24x7 fast connection at home sitting behind a single
> static IP. I have inserted a Linux firewall sitting between the modem
> and a hub, with some other linux and windows machines on the home LAN.
> I set up the firewall (running redhat 6.2) using the basic script from the
> "Red Hat Linux 6.X as an Internet Gateway for a Home Network"
> It is working fine as a basic firewall. Now I want to expand its
> capabilities and I am hitting a wall. Here is what I want.
> There are a couple of trusted machines that I need to be able to
> open an X-client window to the a linux machines behind the firewall at
> home. Right now the firewall is too restrictive. It rejects virtually
> all incoming packets. I want it to redirect TCP and UDP packets from a
> particular machine at work (22.214.171.124) , to a particular machine at home
> (192.168.1.2). I have tried to create the correct chain and havent
> figured it out. I hope one of you can advise me.
> The ipchains ruleset is so small that I think there is a chance you
> can understand it in a jiffy. Here is the default ruleset.
> #1) flush the rule tables
> /sbin/ipchains -F input
> /sbin/ipchains -F forward
> /sbin/ipchains -F output
> #2) set the MASQ timings and allow packets in for DHCP configuration
> /sbin/ipchains -M -S 7200 10 60
> /sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 68 -d 0/0 67 -p udp
> #3) deny all forwarding packets except those from local net. Masq
> /sbin/ipchains -P forward DENY
> /sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ
> #4) load forwarding modules for special services.
> /sbin/modprobe ip_masq_ftp
> /sbin/modprobe ip_masq_portfw
> /sbin/modprobe ip_masq_raudio
> Here is my last attempt (embedded at the appropriate points above)
> /sbin/ipchains -N work-in
> /sbin/ipchains -F work-in
> /sbin/ipchains -A work-in -p UDP -l -j REDIRECT -d 192.168.1.2
> /sbin/ipchains -A work-in -p TCP -l -j REDIRECT -d 192.168.1.2
> # catch stuff from 126.96.36.199 and send to work-in chain
> /sbin/ipchains -A input -j work-in -i eth0 -l -s 188.8.131.52
> I have also use ACCEPT rather than REDIRECT, and tried to use the
> portforwarding capabilities of /usr/sbin/ipmasqadm portfw
> But I havent got it figured out.
> Any kind souls with a suggestion?
> Phil Rasch, Climate Modeling Section, National Center for Atmospheric
> Mail --> P.O. Box 3000, Boulder CO 80307
> Shipping --> 1850 Table Mesa Dr, Boulder, CO 80305
> email: pjr at ucar.edu, Web: http://www.cgd.ucar.edu/cms/pjr
Phone:303-497-1368, FAX: 303-497-1324
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG