IPChains Intro

=====
1. Multiple Machines, A single connection
2. NAT 101
3. IPCHAINS 101
4. IP_MASQ 101
5. Setting up the router
6. Caveats

The program
========
General format:
ipchains []

Commands:
-F flushes a chain so that it starts fresh
-P sets up the default handling
-A adds conditions or rules to a chain

With ipchains, three chains are predefined: input, output, and forward. The following two commands are normally used to set up a chain:

ipchains -F input //flush input chain
ipchains -P input REJECT //default mode

This causes any rules for the input chain to be discarded and sets up the default condition so incoming packets are rejected.

The output chain controls what packets can be sent. A packet may be accepted by the input chain but rejected by the output chain. Likewise, the forward chain controls what packets will be routed.

In general, the input chain controls incoming packet filtering. The packet is either destined for the router or for another computer. In the latter case, the packet is processed by the forward chain. Packets that make it through this chain will then be processed by the output chain.

Examples:
1. ipchains -A input -i eth0 -s 10.1.0.0/16 -d 0.0.0.0/0 -j ACCEPT

2. ipchains -A input -i eth0 -s 10.2.0.0/16 -d 0.0.0.0/0 -j REJECT

No 2 above will reject packets with a source address like 10.2.x.x to any destination. This is actually redundant for the current set of rules since anything that does not match the first example rule for 10.1.x.x will be rejected.

NB:
Note that rules are order dependent in a first-come-first-used basis

Other argument values for the -j option when used with the forward chain. These include DENY and MASQ. DENY is similar to REJECT in that it terminates checking of the chain. MASQ indicates that a packet should be masqueraded using the built-in NAT support. In this case, the accepted packet will be modified so its IP address and port address are changed as described with NAT earlier. The reverse translation for response packets is done automatically. Selective use of MASQ allows a Linux router to forward some packets NAT-fashion and others with no translation. This is handy for small companies that have been assigned more than one IP address and use them for PCs on the local network.
For simple router support when an ISP provides a single IP address, MASQ is typically used. User-defined chains are usually unnecessary.

======
Commands
======
1. chkconfig --del ipchains
Remove ipchains from system boot/initialization process
2. chkconfig --add iptables
Add iptables to system boot/initialization process
3 ipchains -F
Flush ipchains rules
4. service ipchains stop
Stop ipchains. Also: /etc/init.d/ipchains stop
5. rmmod ipchains
Unload ipchains kernel module. Iptables kernel module can not be loaded if the ipchains module is loaded
6. service iptables start
Load iptables kernel module. Also: /etc/init.d/iptables stop