Re: [leaf-user] Help on IPCHAINS Rule....

Sat, 06 Jul 2002 17:57:26 -0700 

At 01:20 PM 7/6/02 -0700, Michael McClure wrote:
>I have a cable modem that has an internal 192.168.100.1.  It is hooked to 
>the ISP and gets a public address which it passes to my LRP eth0.  I have 
>dhcpd running on eth1 to my internal Eigerstein 192.168.1.x.  It's a 
>surfboard 4100 modem w/an internal status page.
>
>Now, I want to be able to look at the surfboard modems status page 
>192.168.100.1 from my eth1 internal 192.168.1.x, but I don't want to open 
>my router to the work for 192.168.x.x.  I want to put in a rule that will 
>take an HTTP source of 192.168.1.x on eth1 and pass that through eth0 to 
>192.168.100.1.  This should work because when I hook a laptop directly to 
>the modem, I can http://192.168.100.1 and see the page.  Of course, I 
>don't want eth0 the take in 192.168.x.x from the outside or break any 
>other router RFC's.
>
>I've mucked about with it and am getting frustrated.  I'm pretty sure I 
>need to masq between the two interfaces, but I can't get it right without 
>being wide open on 192.168.100 on all ports, all protocols.
>
>can any of you ipchains experts help?


It would be easier if  you had mentioned whether you are using EigerStein's 
built-in firewalling or one of the drop-in firewall packages (EchoWall, 
ShoreWall, and so forth).

Probably all you need to do is add these rules to whatever mechanism your 
firewall uses for setup:

         ipchains -I INPUT 1 -d 192.168.100.1/32 80  -p tcp  -i eth1 -j ACCEPT
         ipchains -I INPUT 1 -s 192.168.100.1/32 80  -p tcp  -i eth0 -j ACCEPT

Some firewall rulesets will require similar additions to OUTPUT, and 
conceivably FORWARD or a custom chain, but this pair will work with many 
firewalls that block private addresses on the external interface. I think 
these additions are enough for EigerStein, but I'm not certain of it.



--
-----------------------------------------------"Never tell me the 
odds!"--------------
Ray Olszewski                                        -- Han Solo
Palo Alto, California, USA                              [EMAIL PROTECTED]
-------------------------------------------------------------------------------------------



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Got root? We do.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to