An Alternative Packet Filter: IPChains

Previous page
Table of content
Next page


Although examples in this chapter are given as Cisco access lists, other software programs and devices use similar technology. Following is an example of IPChains, one such program. IPChains is a packet-filtering system that comes bundled with many versions of Linux. Though IPChains is not as popular as it once was, being superseded by IPTables, you may still run into it or choose to deploy it as an effective packet filtering mechanism for your server or network.

If you wanted to block HTTP traffic from anywhere to your host 200.200.200.2 and log the matches, you would use the Cisco ACL:

 access-list 111 deny tcp any host 200.200.200.2 eq 80 log

With IPChains, you would use

 ipchains A input i eth1 p tcp s 0.0.0.0/0 d 200.200.200.2/32 80 -l j DENY

where A input means to place this rule on the end of the existing input chain.

i eth1 tells IPChains to apply this rule to the interface etH1, -p tells the protocol to watch for TCP, the -s parameter sets the source address, and 0.0.0.0/0 indicates to watch for any source address.

The /0 is the wildcard, and it means to match the specified bits exactly. Because the wildcard is 0 in this case, it means "don't match anything exactly or allow anything." This is equivalent to the Cisco any keyword.

The -d parameter is the destination address. In this example, it is equal to the host address 200.200.200.2 because the /32 wildcard mask is used. It tells IPChains to match the first 32 bits (or everything) exactly. This is equivalent to using the 0.0.0.0 wildcard or the host keyword in Cisco ACLs.

The destination address in this case is followed by the port number of the blocked protocol (80, for HTTP traffic). If the source port were filtered as well, it would have followed the source address.

Finally, the -l parameter means "log this information," and j DENY stipulates that any matching packets should be dropped and not to send any information of this back to the sender. It is the counterpart to the Cisco deny keyword.

As you can see, although similar in function, static packet filters come in different forms. Despite the differences in appearance and syntax, after you have a grasp of packet-filtering concepts, your knowledge can be applied to any of these filtration systems.


    Previous page
    Table of content
    Next page
    Inside Network Perimeter Security
    Inside Network Perimeter Security (2nd Edition)
    ISBN: 0672327376
    EAN: 2147483647
    Year: 2005
    Pages: 230
    Authors: Stephen Northcutt, Lenny Zeltser, Scott Winters, Karen Kent, Ronald W. Ritchey
    BUY ON AMAZON
    VBScript Programmers Reference
    Cisco IOS in a Nutshell (In a Nutshell (OReilly))
    C++ How to Program (5th Edition)
    Java How to Program (6th Edition) (How to Program (Deitel))
    Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
    Understanding Digital Signal Processing (2nd Edition)
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy