Quick
Start Guide
Ipchains is a powerful packet-filtering tool available
on ImageStream routers with Enterprise Linux version 2.0 to 3.0. This document
will provide examples on how to use Ipchains to add basic firewalling, port forwarding
and network address translation (NAT) capabilities to your ImageStream router.
More in-depth information is available in the iptables HOWTO linked to the Other On-line Resources
page on this site. Ipchains Basics Iptables is
a utility used to set up, maintain, and inspect the packet filtering rules in
Enterprise Linux. Iptables handles packets in one of two ways: chains and tables.
A chain is a set of rules that tells iptables how to manipulate a packet that
matches a given rule. Even with no user-defined iptables statements on your router,
each packet passing through the router will flow through at least one of the three
predefined chains in the operating system:
---------------------------------------------------------------
| ACCEPT/ lo interface |
v REDIRECT _______ |
-> C -------> ______ --> D --> ~~~~~~~~ -->|forward|---> _______ -->
h |input | e {Routing } |Chain | |output |ACCEPT
e |Chain | m {Decision} |_______|--->|Chain |
c |______| a ~~~~~~~~ | | ->|_______|
k | s | | | | |
s | q | v | | |
u v u v DENY/ | | v
m DENY/ e Local Process REJECT | | DENY/
| REJECT r | | | REJECT
| a -------------------- |
v d ----------------------------
DENY e
When packets enter the router, ipchains will first check the packet checksum.
Then the packet will enter the input chain. If the packet makes it through the
input chain ipchains will check if the packet is a reply to a masqueraded packet
(masquerading is NAT for ipchains) if it is Ipchains will demasquerade the packet
and send it to the output chain. If the packet passes through the input chain
the system will then make a "Routing Decision." The router will decide if the
packet needs to be forwarded, or if it is destined for a local interface on the
router. If the packet is destined for a local process on the router, ipchains
will deliver the packet. If the router needs to forward the packet, ipchains will
add it to the forward chain. When the packet passes through the forward chain
it will then be sent to the output chain. If a local process on the router is
generating a packet it will pass through the output chain. By default, each of
the chains will accept any packet. Ipchains Firewall
Setup This section will provide an example of a basic firewall setup using
Ipchains. We will start with defining a new "firewall" chain.
ipchains -N firewall
This creates a new chain named firewall. Next, we will
add some rules to this firewall chain.
ipchains -A firewall -i eth1 -s 192.168.0.0/16 \
-j DENY
This adds a new rule to the firewall chain.
The " -A" option (add) tells Ipchains to add this rule to the firewall chain.
The "-i" (interface) option tells Ipchains to apply this rule only to packets
on the eth1 interface. The "-s" option ensures that only packets with a source
address of 192.168.0.0/16 (Class B) will match this rule. The "-j" option instructs
iptables what to do if the packet matches the rule. In this example, iptables
will deny the packet. When taken as a whole, this command will deny all packets
on eth1 with a source ip address of 192.168.0.0/16. Other valid commands
and options are listed in the iptables HOWTO linked to the Other On-line Resources
page on this site. Here are several common example chain commands:
ipchains -A firewall -s 128.211.243.16 -d 128.211.245.156 \
-j ACCEPT
This command
will accept all traffic from 128.211.243.16 to 128.211.245.156.
ipchains -A firewall -i eth1 -d 128.211.245.156 -p tcp --dport 21 \
-j DENY
This
command will deny all traffic on eth1 for the ftp port (port 21) where the destination
is 128.211.245.156. You can add any number of rules to a chain. After
all of the processing rules have been added to the firewall chain, we need to
send incoming packets (packets passing through the forward chain, as described
above) to our user-defined firewall chain.
ipchains -A forward -j firewall
This command sends all packets that are in the forward chain to also
pass through the firewall chain. Below is a complete example of a simple firewall.
In this example, the incoming interface is eth1 and eth0 is being firewalled.
# begin example
# setup the firewall chain
ipchains -N firewall
# add rules to the chain
ipchains -A firewall -i eth1 -s 192.168.0.0/16 -j DENY
ipchains -A firewall -i eth1 -s 205.159.243.0/24 -d 128.211.245.156 \
-j ACCEPT
ipchains -A firewall -i eth1 -s 216.117.0.0/16 -p tcp --dport 21 \
-j ACCEPT
ipchains -A firewall -i eth1 -d 128.211.245.156 -p tcp --dport 21 \
-j DENY
# insert the firewall chain into the forward chain
iptables -A forward -j firewall
# end example
Ipchains: Ip Masquerading and Port forwarding
with Ipmasqadm Ipchains IP Masquerading IP Masquerading
is a form of NAT (Network Address Translation) that is available on ImageStream
routers running version 3.0 or earlier. Below is an example of IP masquerading
where all traffic from 192.168.0.0/24 that is on eth1 will get masqueraded to
the outbound interfaces IP address. In this example the outbound interface has
an IP address of 1.2.3.4 This example will would allow all of the machines in
the 192.168.0.0 network talk to the 1.2.3.0 network.
ipchains -A forward -s 192.168.0.0/24 -j MASQ
This rule will masquerade all packets getting
forwarded with a source of the 192.168.0.0/24. Machines on the 1.2.3.0 network
will the all masquerade packets coming from the 1.2.3.4 machine. This will allow
192.168.0.0 network to access the 1.2.3.0 network. Ipmasqadm
and Port Forwarding Port forwarding can be used to hide a server behind
a firewall or allow different services to be provided depending on which IP port
is being used. Below are two examples of port forwarding in action. The tool that
is used to setup port forwarding is ipmasqadm
ipmasqadm portfw -a -P tcp -L 1.2.3.4 80 -R 192.168.0.10 80
This command will add a new portforwarding
rule to the system. Ipmasqadm is started in portfw mode. The '-a' tells the system
that we will be adding a new rule. The '-P tcp' tell the system to only look at
tcp packets. '-L 1.2.3.4 80' defines the local address to forward packet from,
in this example it will forward packet that are incoming for 1.2.3.4 port 80 (web
traffic). And '-R 192.168.0.10 80' is the remote machine, this is where all packets
from 1.2.3.4 port 80 will be sent.
ipmasqadm portfw -a -P tcp -L 1.2.3.4 21 -R 192.168.0.10 2000
This command is almost exactly the same as
the first example, in this example we are portforwarding port 21 (ftp) from 1.2.3.4
to 192.168.0.10. The major item of interest in this example is the fact that we
are changing the destination port. This will work correctly as long as the ftp
server on 192.168.0.10 is set to listen on port 2000. Top |