'Re: IP Forwarding between 2 subnets?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipchains-list
Subject:    Re: IP Forwarding between 2 subnets?
From:       raf <raf () raf ! org>
Date:       2001-10-15 5:46:06
[Download RAW message or body]

Arthur DiSegna wrote:

> I want to forward any traffic destined for another subnet and had a question
> about the accept policy..
> 
> Here is part of my config:
> 
> #------> Variables
> lan1_ipaddr=172.16.15.254
> lan2_ipaddr=172.16.31.254
> 
> lan1_interface=eth0
> lan2_interface=eth1
> 
> lan1=172.16.0.0/20
> lan2=172.16.16.0/20
> 
> #--------> Basic ipchains rules
> 
> ipchains -P input DENY
> ipchains -P output DENY
> ipchains -P forward DENY
> 
> #-------> PACKET FORWARDING BETWEEN SUBNETS
> 
> # Forward packets from lan1 to lan2 and lan2 to lan1
> 
> ipchains -A forward -b -s $lan1 -d $lan2 -j ACCEPT
> ipchains -A forward -b -s $lan2 -d $lan1 -j ACCEPT
> 
> 
> 
> My question:::::  
> 
> 	Do I have first ACCEPT traffic between the 2 interfaces then add
> these rules for forwarding or is forwarding like saying ACCEPT.
> 
> example 
> 
> ipchains -A input -i $lan1_interface -s $lan1 -d $lan2 -j ACCEPT
> ipchains -A output -i $lan2_interface -s $lan1 -d $lan2 -j ACCEPT
> ipchains -A input -i $lan2_interface -s $lan2 -d $lan1 -j ACCEPT
> ipchains -A output -i $lan1_interface -s $lan2 -d $lan1 -j ACCEPT

yes, you have to do this as well.

saying accept on the forward chain only has an effect if the
packet was accepted on the input chain and will be accepted
on the output chain.

> Also will broadcast aren't usually forwarded but with these rules in place
> will they???

no. if a packet will not be forwarded, it'll never be checked on the
forward chain. ipchains does not change routing or the behaviour
of the networking code. it only stops certain packets from getting
through. it doesn't change what happens to packets that are allowed
through.

> 
> Thanks in advance
> SISCO (Security Identification Systems Corporation) develops and installs
> software and hardware access control solutions for commercial and government
> facilities.  Our high-speed photo identification and tracking systems
> address security concerns and help reduce liability for corporations
> worldwide.

raf

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic