[lug] Help with ipchains

Dan Radom dradom at redback.com
Sun Nov 26 21:10:19 MST 2000

You'll want to use ipmasqadm for that.  it will handle the redirections of
the port to another machine on the lan.

ipmasqadm portfw -a -P tcp -l $EXTERNALIP 80 -R 80

would redirect web traffic for example.

----- Original Message -----
From: "Phil Rasch" <pjr at ucar.edu>
To: <lug at lug.boulder.co.us>
Sent: Sunday, November 26, 2000 8:52 PM
Subject: [lug] Help with ipchains

> I now have a 24x7 fast connection at home sitting behind a single
> static IP. I have inserted a Linux firewall sitting between the modem
> and a hub, with some other linux and windows machines on the home LAN.
> I set up the firewall (running redhat 6.2) using the basic script from the
> "Red Hat Linux 6.X as an Internet Gateway for a Home Network"
> http://www.coastnet.com/~pramsey/linux/homenet.html
> It is working fine as a basic firewall. Now I want to expand its
> capabilities and I am hitting a wall. Here is what I want.
> There are a couple of trusted machines that I need to be able to
> open an X-client window to the a linux machines behind the firewall at
> home. Right now the firewall is too restrictive. It rejects virtually
> all incoming packets. I want it to redirect TCP and UDP packets from a
> particular machine at work ( , to a particular machine at home
> ( I have tried to create the correct chain and havent
> figured it out. I hope one of you can advise me.
> The ipchains ruleset is so small that I think there is a chance you
> can understand it in a jiffy. Here is the default ruleset.
>     #1) flush the rule tables
>     /sbin/ipchains -F input
>     /sbin/ipchains -F forward
>     /sbin/ipchains -F output
>     #2) set the MASQ timings and allow packets in for DHCP configuration
>     /sbin/ipchains -M -S 7200 10 60
>     /sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 68 -d 0/0 67 -p udp
>     #3) deny all forwarding packets except those from local net. Masq
>     /sbin/ipchains -P forward DENY
>     /sbin/ipchains -A forward -s -j MASQ
>     #4) load forwarding modules for special services.
>     /sbin/modprobe ip_masq_ftp
>     /sbin/modprobe ip_masq_portfw
>     /sbin/modprobe ip_masq_raudio
> Here is my last attempt (embedded at the appropriate points above)
>     /sbin/ipchains -N work-in
>     /sbin/ipchains -F work-in
>     /sbin/ipchains -A work-in -p UDP -l -j REDIRECT -d
>     /sbin/ipchains -A work-in -p TCP -l -j REDIRECT -d
>     # catch stuff from and send to work-in chain
>     /sbin/ipchains -A input -j work-in -i eth0 -l -s
> I have also use ACCEPT rather than REDIRECT, and tried to use the
> portforwarding capabilities of /usr/sbin/ipmasqadm portfw
> But I havent got it figured out.
> Any kind souls with a suggestion?
> Thanks
> Phil
> --
> Phil Rasch, Climate Modeling Section, National Center for Atmospheric
> Mail     --> P.O. Box 3000, Boulder CO 80307
> Shipping --> 1850 Table Mesa Dr, Boulder, CO 80305
> email: pjr at ucar.edu, Web: http://www.cgd.ucar.edu/cms/pjr
Phone:303-497-1368, FAX: 303-497-1324
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list