CORPORATE PROFILES
I
I
I
I
I

  Router Solution
  ------------------------------------------
Overview
Pro Series Router
Industrial Series Router
Pro Series Network Card
Ind Series Network Card
   
  WAN Monitoring
  ------------------------------------------
WAN monitoring card
WAN monitoring tapper
   
  Technical Support
  ------------------------------------------
Manual Downloads
Technology
Case Study
Technical Notes
FAQ
   

 

 


ImageStream -
ipchains Firewalling and Packet-Filtering

Quick Start Guide

Ipchains is a powerful packet-filtering tool available on ImageStream routers with Enterprise Linux version 2.0 to 3.0. This document will provide examples on how to use Ipchains to add basic firewalling, port forwarding and network address translation (NAT) capabilities to your ImageStream router. More in-depth information is available in the iptables HOWTO linked to the Other On-line Resources page on this site.

Ipchains Basics

Iptables is a utility used to set up, maintain, and inspect the packet filtering rules in Enterprise Linux. Iptables handles packets in one of two ways: chains and tables. A chain is a set of rules that tells iptables how to manipulate a packet that matches a given rule. Even with no user-defined iptables statements on your router, each packet passing through the router will flow through at least one of the three predefined chains in the operating system:

       ---------------------------------------------------------------
       |            ACCEPT/                             lo interface |
       v           REDIRECT                  _______                 |
-> C -------> ______ --> D --> ~~~~~~~~ -->|forward|---> _______ -->
   h         |input |    e    {Routing }   |Chain  |    |output |ACCEPT
   e         |Chain |    m    {Decision}   |_______|--->|Chain  |
   c         |______|    a     ~~~~~~~~        |    | ->|_______|
   k            |        s       |             |    | |     |
   s            |        q       |             v    | |     |
   u            v        u       v            DENY/ | |     v
   m          DENY/      e   Local Process   REJECT | |   DENY/
   |         REJECT      r       |                  | |  REJECT
   |                     a       -------------------- |
   v                     d ----------------------------
  DENY                   e

When packets enter the router, ipchains will first check the packet checksum. Then the packet will enter the input chain. If the packet makes it through the input chain ipchains will check if the packet is a reply to a masqueraded packet (masquerading is NAT for ipchains) if it is Ipchains will demasquerade the packet and send it to the output chain. If the packet passes through the input chain the system will then make a "Routing Decision." The router will decide if the packet needs to be forwarded, or if it is destined for a local interface on the router. If the packet is destined for a local process on the router, ipchains will deliver the packet. If the router needs to forward the packet, ipchains will add it to the forward chain. When the packet passes through the forward chain it will then be sent to the output chain. If a local process on the router is generating a packet it will pass through the output chain. By default, each of the chains will accept any packet.

Ipchains Firewall Setup

This section will provide an example of a basic firewall setup using Ipchains. We will start with defining a new "firewall" chain.

ipchains -N firewall

This creates a new chain named firewall. Next, we will add some rules to this firewall chain.

ipchains -A firewall -i eth1 -s 192.168.0.0/16 \
-j DENY 

This adds a new rule to the firewall chain. The " -A" option (add) tells Ipchains to add this rule to the firewall chain. The "-i" (interface) option tells Ipchains to apply this rule only to packets on the eth1 interface. The "-s" option ensures that only packets with a source address of 192.168.0.0/16 (Class B) will match this rule. The "-j" option instructs iptables what to do if the packet matches the rule. In this example, iptables will deny the packet. When taken as a whole, this command will deny all packets on eth1 with a source ip address of 192.168.0.0/16.

Other valid commands and options are listed in the iptables HOWTO linked to the Other On-line Resources page on this site. Here are several common example chain commands:

ipchains -A firewall -s 128.211.243.16 -d 128.211.245.156 \
-j ACCEPT

This command will accept all traffic from 128.211.243.16 to 128.211.245.156.

ipchains -A firewall -i eth1 -d 128.211.245.156 -p tcp --dport 21 \
-j DENY

This command will deny all traffic on eth1 for the ftp port (port 21) where the destination is 128.211.245.156.

You can add any number of rules to a chain. After all of the processing rules have been added to the firewall chain, we need to send incoming packets (packets passing through the forward chain, as described above) to our user-defined firewall chain.

ipchains -A forward -j firewall

This command sends all packets that are in the forward chain to also pass through the firewall chain. Below is a complete example of a simple firewall. In this example, the incoming interface is eth1 and eth0 is being firewalled.

# begin example
# setup the firewall chain
ipchains -N firewall

# add rules to the chain
ipchains -A firewall -i eth1 -s 192.168.0.0/16 -j DENY
ipchains -A firewall -i eth1 -s 205.159.243.0/24 -d 128.211.245.156 \
-j ACCEPT
ipchains -A firewall -i eth1 -s 216.117.0.0/16 -p tcp --dport 21 \
-j ACCEPT
ipchains -A firewall -i eth1 -d 128.211.245.156 -p tcp --dport 21 \
-j DENY

# insert the firewall chain into the forward chain
iptables -A forward -j firewall
# end example

Ipchains: Ip Masquerading and Port forwarding with Ipmasqadm

Ipchains IP Masquerading

IP Masquerading is a form of NAT (Network Address Translation) that is available on ImageStream routers running version 3.0 or earlier.

Below is an example of IP masquerading where all traffic from 192.168.0.0/24 that is on eth1 will get masqueraded to the outbound interfaces IP address. In this example the outbound interface has an IP address of 1.2.3.4 This example will would allow all of the machines in the 192.168.0.0 network talk to the 1.2.3.0 network.

ipchains -A forward -s 192.168.0.0/24 -j MASQ

This rule will masquerade all packets getting forwarded with a source of the 192.168.0.0/24. Machines on the 1.2.3.0 network will the all masquerade packets coming from the 1.2.3.4 machine. This will allow 192.168.0.0 network to access the 1.2.3.0 network.

Ipmasqadm and Port Forwarding

Port forwarding can be used to hide a server behind a firewall or allow different services to be provided depending on which IP port is being used. Below are two examples of port forwarding in action. The tool that is used to setup port forwarding is ipmasqadm

ipmasqadm portfw -a -P tcp -L 1.2.3.4 80 -R 192.168.0.10 80

This command will add a new portforwarding rule to the system. Ipmasqadm is started in portfw mode. The '-a' tells the system that we will be adding a new rule. The '-P tcp' tell the system to only look at tcp packets. '-L 1.2.3.4 80' defines the local address to forward packet from, in this example it will forward packet that are incoming for 1.2.3.4 port 80 (web traffic). And '-R 192.168.0.10 80' is the remote machine, this is where all packets from 1.2.3.4 port 80 will be sent.

ipmasqadm portfw -a -P tcp -L 1.2.3.4 21 -R 192.168.0.10 2000

This command is almost exactly the same as the first example, in this example we are portforwarding port 21 (ftp) from 1.2.3.4 to 192.168.0.10. The major item of interest in this example is the fact that we are changing the destination port. This will work correctly as long as the ftp server on 192.168.0.10 is set to listen on port 2000.

Top