[lug] Help with ipchains

Phil Rasch pjr at ucar.edu
Sun Nov 26 20:52:50 MST 2000 

I now have a 24x7 fast connection at home sitting behind a single
static IP. I have inserted a Linux firewall sitting between the modem
and a hub, with some other linux and windows machines on the home LAN.

I set up the firewall (running redhat 6.2) using the basic script from the URL

"Red Hat Linux 6.X as an Internet Gateway for a Home Network"
http://www.coastnet.com/~pramsey/linux/homenet.html

It is working fine as a basic firewall. Now I want to expand its
capabilities and I am hitting a wall. Here is what I want.

There are a couple of trusted machines that I need to be able to 
open an X-client window to the a linux machines behind the firewall at
home. Right now the firewall is too restrictive. It rejects virtually
all incoming packets. I want it to redirect TCP and UDP packets from a
particular machine at work (1.2.3.4) , to a particular machine at home
(192.168.1.2). I have tried to create the correct chain and havent
figured it out. I hope one of you can advise me.

The ipchains ruleset is so small that I think there is a chance you
can understand it in a jiffy. Here is the default ruleset.

    #1) flush the rule tables
    /sbin/ipchains -F input
    /sbin/ipchains -F forward
    /sbin/ipchains -F output
    #2) set the MASQ timings and allow packets in for DHCP configuration
    /sbin/ipchains -M -S 7200 10 60
    /sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 68 -d 0/0 67 -p udp
    #3) deny all forwarding packets except those from local net. Masq those
    /sbin/ipchains -P forward DENY
    /sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ
    #4) load forwarding modules for special services.
    /sbin/modprobe ip_masq_ftp
    /sbin/modprobe ip_masq_portfw
    /sbin/modprobe ip_masq_raudio

Here is my last attempt (embedded at the appropriate points above)
    /sbin/ipchains -N work-in
    /sbin/ipchains -F work-in
    /sbin/ipchains -A work-in -p UDP -l -j REDIRECT -d 192.168.1.2
    /sbin/ipchains -A work-in -p TCP -l -j REDIRECT -d 192.168.1.2
    # catch stuff from 1.2.3.4 and send to work-in chain
    /sbin/ipchains -A input -j work-in -i eth0 -l -s 1.2.3.4

I have also use ACCEPT rather than REDIRECT, and tried to use the
portforwarding capabilities of /usr/sbin/ipmasqadm portfw

But I havent got it figured out.

Any kind souls with a suggestion?

Thanks

Phil
-- 
Phil Rasch, Climate Modeling Section, National Center for Atmospheric Research
Mail     --> P.O. Box 3000, Boulder CO 80307  
Shipping --> 1850 Table Mesa Dr, Boulder, CO 80305
email: pjr at ucar.edu, Web: http://www.cgd.ucar.edu/cms/pjr Phone:303-497-1368, FAX: 303-497-1324

More information about the LUG mailing list