[plug] IP Chains

John Summerfield summer at os2.ami.com.au
Fri Dec 24 03:18:04 WST 1999 

> Michael Hunt wrote:
> > 
> > > Michael Hunt wrote:
> > > >
> > > <snip>
> > > > Mikes Quick and dirty quide to IP masquerading
> > > >
> > > > 1. Turn on IP forwarding. You can do this through most distro's control
> > > > panel app (at least under RedHat) or by echo an 1 to the
> > > relevant proc file
> > > > (the name surpasses me at the moment).
> > >
> > > <snip>
> > >
> > > What is IP forwarding?
> > 
> > Ip frowarding basically means routing. Look at it this way
> > 
> > My Machine 192.168.1.11 (workstation) sends a packet to the internet.
> > According to the routing tables on my machine this goes to the default
> > gateway (192.168.1.254 eth0:0). My linux box has ip masq, ip forwarding and
> > ip chains installed so what happens next is this:
> > 
> > Routing table is looked up on Linux box and it sees that the default gatewa
> y
> > is my ppp adapter. Because my box has the above on it forwards the packet o
> n
> > to the internet (masking it as a routable IP address using the IP off my pp
> p
> > adapter). It also filters any outgoing and incoming packets to see if they
> > might my ip chain rules.
> > 
> > Michael Hunt
> 
> My understanding (which may be totally wrong), is that ipchains involves IP
> masquerading, and takes care of the firewalling security stuff.

If you read the ipchains documentation, you will understand differently.

> 
> I do not understand why a firewall on a mchine that connects to an ISP using
> dialup, needs a routing application such as ip forwarding.

ip forwarding and firewall are not the same.

Despite what is written above, forwarding is not routing, though 
forwarding does involve routing. In forwarding, a machine provides 
connectivity between two others. In routing, it chooses which interface to 
send a packet out. For example, I have emu with two ethernet interfaces. 
It stands between possum (my workstation) and varying others (bilby 
always, often kangaroo as well). When it gets a packet from possum, it has 
to decide whether
a)	Forwarding is enabled
   and
b)	it's for itself, or has to be forwarded via eth0, eth1 or ppp0. 

Item b) is a routing decision and applies equally to packets created on 
emu.



If you a computer sitting between two others, the two others cannot 
communicate unless you have ip forwarding.

If the machine in the middle is selective about what it forwards, then 
it's functioning as a firewall. From a technical viewpoint, it need not be 
selective (and until recently IAPs were not) about that they forward.


It can also be selective about what it itself listens to - it can block 
incoming telnet connections to itself regardless of whether it's providing 
connectivity between two others. In this case it's functioning as a 
firewall wrt itself.


-- 
Cheers
John Summerfield
http://os2.ami.com.au/os2/ for OS/2 support.
Configuration, networking, combined IBM ftpsites index.

More information about the plug mailing list