- TCP/IP Primer: How Packet Filtering Works
- TCP and UDP Ports
- TCP's Three-way Handshake
- The Cisco Router as a Packet Filter
- An Alternative Packet Filter: IPChains
- The Cisco ACL
- Effective Uses of Packet-Filtering Devices
- Egress Filtering
- Tracking Rejected Traffic
- Problems with Packet Filters
- Dynamic Packet Filtering and the Reflexive Access List
- Summary
- References
An Alternative Packet Filter: IPChains
Although examples in this chapter are given as Cisco access lists, other software programs and devices use similar technology. Following is an example of IPChains, one such program. IPChains is a packet-filtering system that comes bundled with many versions of Linux. Though IPChains is not as popular as it once was, being superseded by IPTables, you may still run into it or choose to deploy it as an effective packet filtering mechanism for your server or network.
If you wanted to block HTTP traffic from anywhere to your host 200.200.200.2 and log the matches, you would use the Cisco ACL:
access-list 111 deny tcp any host 200.200.200.2 eq 80 log
With IPChains, you would use
ipchains A input i eth1 p tcp s 0.0.0.0/0 d 200.200.200.2/32 80 -l j DENY
where A input means to place this rule on the end of the existing input chain.
i eth1 tells IPChains to apply this rule to the interface eth1, -p tells the protocol to watch for TCP, the -s parameter sets the source address, and 0.0.0.0/0 indicates to watch for any source address.
The /0 is the wildcard, and it means to match the specified bits exactly. Because the wildcard is 0 in this case, it means "don't match anything exactly or allow anything." This is equivalent to the Cisco any keyword.
The -d parameter is the destination address. In this example, it is equal to the host address 200.200.200.2 because the /32 wildcard mask is used. It tells IPChains to match the first 32 bits (or everything) exactly. This is equivalent to using the 0.0.0.0 wildcard or the host keyword in Cisco ACLs.
The destination address in this case is followed by the port number of the blocked protocol (80, for HTTP traffic). If the source port were filtered as well, it would have followed the source address.
Finally, the -l parameter means "log this information," and j DENY stipulates that any matching packets should be dropped and not to send any information of this back to the sender. It is the counterpart to the Cisco deny keyword.
As you can see, although similar in function, static packet filters come in different forms. Despite the differences in appearance and syntax, after you have a grasp of packet-filtering concepts, your knowledge can be applied to any of these filtration systems.