Here's a good start:
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/pdf/
There are a bunch of HOW-TO guides in handy PDF format, including the
IPChains and IPForward HOW-TOs. http://www.linuxdoc.org is a great site
for Linux information.
You need to use the forward chain, and specify the NIC. Unfortunately you
only know the packets _leaving_ the chain, not entering, so the format is a
tad backward. You can specify the source, the NIC out through which the
packet should be routed, and then -jump it to a user-specified chain for
processing ACCEPT/DENY/etc.
In my case I have two systems named "millipede" and "sneaker". I'll route
traffic from the 10.10.30 net to the 172.16.0 and 192.168.0 nets (sneaker
and centipede, respectively). I've got three NICs on the packet filtering
system ("maginot"), eth0 (10.10.30.10), eth1 (192.168.0.1), and eth2
(172.16.0.1).
My forward chains then look like this:
/sbin/ipchains -A forward -s 10.10.30.0/24 -i eth1 -j mllpde
/sbin/ipchains -A forward -s 10.10.30.0/24 -i eth2 -j snkr
/sbin/ipchains -A forward -s 192.168.0.25 -i eth1 -j mllpde
/sbin/ipchains -A forward -s 172.16.0.25 -i eth2 -j snkr
/sbin/ipchains -A forward -s 192.168.0.25 -i eth0 snkr
/sbin/ipchains -A forward -s 172.16.0.25 -i eth0 mllpde
/sbin/ipchains -A forward -j DENY -l # <- Log denied packets for inspection
The first two allow traffic from outside to get to the inside machines
(going out through eth1 or eth2, depending on the destination of the
packet). The second pair allow traffic from inside to traverse so boxes on
either side can talk to each other (you may not want this). The third pair
allow traffic from inside to go outside (out through eth0). Of course, the
last line denies and logs anything not captured by the preceding rules so
that you can inspect it (generally a good idea).
You then jump to the user-specified chains "mllpde" and "snkr" (there's a
character limit on the names of user-specified chains). Inside each of
these chains you can specify rules just as if they were on each host
directly connected to the outside. You can either do a RETURN jump at the
end of each to return to the forward chain after falling off the end of the
user-specified chain, or you can just DENY and log the packet (your choice
- I like to deny and log).
I've also got rules on defender which allow specific traffic to it, with a
big DENY at the end. The default input and output policies will have to be
ACCEPT or the whole deal is off.
Hopefully this helps. I've just recently been where you are now.
At 09:00 AM 11/7/2000 +0000, you wrote:
>Date: Tue, 7 Nov 2000 10:35:34 +1300
>From: Simon Buchanan <[EMAIL PROTECTED]>
>Subject: ipchains situation help...
>
>Would someone with a bit more know-how that me :) with ipchains
>please give me a bit on a hand...
>
>My Setup:
>
>We have two internet connections: 1 ADSL and 1 DDS. the adsl is for
>our surfing type traffic and the DDS is for the servers.
>
>Our internal network is setup to use the ADSL as the gateway
>(192.168.1.254) and we have a linux box on this network with two
>network cards 192.168.1.1 and 202.27.100.101, this box uses
>202.27.100.100 as its router - therefore using the DDS as its
>connection.
>
>I have set up a new box 192.168.1.2 and changed all workstations on
>the internal network to use this as a router - this acts as a
>firewall/proxy for the internal network to the ADSL. and have this
>command in to make 192.168.1.2 route the traffic:
>
>ipcahins -A forward -s 192.168.1.0/24 -j MASQ
>
>i also have the same command in 192.168.1.1 so i can choose this as a
>router and use the DDS internet link.
>
>WHAT I WANT TO DO IS:
>
>have the 192.168.1.2 box route all traffic thru the ADSL, _except_
>traffic to 202.27.100.100-115 (our dds IP range), which gets routed
>thru to 192.168.1.1.
>
>Is this possible? and if so HOW :)
--
Eric N. Valor
[EMAIL PROTECTED]
Webmeister/Inetservices
Lutris Technologies
[EMAIL PROTECTED]
- This Space Intentionally Left Blank -
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
