From mboxrd@z Thu Jan  1 00:00:00 1970
From: Daniel Bergqvist daniel@netatonce.se
Date: Wed, 25 Oct 2000 14:42:17 +0000
Subject: SV: [LARTC] Packet rewriting
Message-Id: <marc-lartc-98373938216842@msgid-missing>
List-Id: <lartc.vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
To: lartc@vger.kernel.org

<PRE>I'm not sure of what you want but here is an example:
(Assuming local net is 10.0.0.160/27)

# Accept icmp (for example ping)
ipchains -A output -p icmp -j ACCEPT

# Deny TCP sessions to local network (that is noone outside
# the firewall may access web, ftp,... at your local net)
# (Note the -y option)
ipchains -A output -p tcp -d 10.0.0.160/27 -y -j DENY

# Accept any TCP packets to local network
ipchains -A output -p tcp -d 10.0.0.160/27 -j ACCEPT

# Maybe you want some UDP ports open
# Accept port 4000/UDP to local network
ipchains -A output -p udp -d 10.0.0.160/27 4000 -j ACCEPT

# Deny anything else to local network
ipchains -A output -d 10.0.0.160/27 -j DENY

Regards,
Daniel

&gt;<i> -----Ursprungligt meddelande-----
</I>&gt;<i> Fr=E5n: <A HREF=3D"mailto:lartc-admin@mailman.ds9a.nl">lartc-ad=
min@mailman.ds9a.nl</A>
</I>&gt;<i> [mailto:<A HREF=3D"mailto:lartc-admin@mailman.ds9a.nl">lartc-ad=
min@mailman.ds9a.nl</A>]F=F6r Fredrik Rambris
</I>&gt;<i> Skickat: Wednesday, October 25, 2000 3:31 PM
</I>&gt;<i> Till: Linux Advanced Routing and Trafic Control
</I>&gt;<i> =C4mne: [LARTC] Packet rewriting
</I>&gt;<i>
</I>&gt;<i>
</I>&gt;<i> Hello
</I>&gt;<i>
</I>&gt;<i> Now here's a problem I've never thought of before.
</I>&gt;<i>
</I>&gt;<i> We have been given a net from UUNET. The first IP-address (.161=
) is used
</I>&gt;<i> by their router (which we have no access to fiddle with). I have
</I>&gt;<i> installed a firewall at .162 which will serve both as firewall =
and
</I>&gt;<i> trafic controller. My question is how to I make the public IP-a=
ddresses
</I>&gt;<i> accessible from the outside and still be located behind the fir=
ewall?
</I>&gt;<i> Like this
</I>&gt;<i>
</I>&gt;<i> [Internet]--[UU-Router.161]--[Firewall.162]
</I>&gt;<i> I want to be able to put a machine behind the firewall on a pub=
lic
</I>&gt;<i> IP-adress (.163) but still protected by the firewall. I was tol=
d that
</I>&gt;<i> this could be done in other firewalls by aliasing the NIC on th=
e outside
</I>&gt;<i> to all public ip-addresses and then have the firewall forward t=
hese
</I>&gt;<i> packets to a computer on the inside. Like portforwarding but a =
whole
</I>&gt;<i> machine (all ports) on all protocols (under IP ofcause) (not bl=
ocked by
</I>&gt;<i> the firewall).
</I>&gt;<i>
</I>&gt;<i> Is this possible with ipchains and some fancy packetrewriting?
</I>&gt;<i>
</I>&gt;<i> Anyone have any tips?
</I>&gt;<i> --
</I>&gt;<i> Admera Solution Provider AB
</I>&gt;<i> Tel: 0733-850 814
</I>&gt;<i> Position: 55=B036=B413N  13=B003=B436E
</I>


</PRE>