Setup guide

ManualsBrandsD-Link ManualsComputer equipmentDWL-500 - 11Mb Wireless LAN PCI Network Card

211

212

213

214

215

216

217

218

219

220

src-address=:20 dst-address=:1024-65535 protocol=tcp

tcp-options=syn-only action=accept

6 ;;; Reject and log everything else

action=reject log=yes

[admin@Wandy] ip firewall rule customer>

Note about the rule #5: active ftp data connections are made from the server's port 20 to the client's

tcp port above 1024.

All we have to do now is to put rules in the forward chain, that match the IP addresses of the

customer's hosts on the Local interface and jump to the customer chain:

[admin@Wandy] ip firewall rule forward> add out-interface=Local action=jump \

\... jump-target=customer

[admin@Wandy] ip firewall rule forward> print

Flags: X - disabled, I - invalid, D - dynamic

0 out-interface=Local action=jump jump-target=customer

[admin@Wandy] ip firewall rule forward>

Thus, everything that passes the router and leaves the Local interface (destination of the customer's

network) will be processed against the firewall rules of the customer chain.

Enforcing the 'Internet Policy'

To force the customer's hosts to access the Internet only through the proxy server at 192.168.0.17,

we should put following rules in the forward chain:

[admin@Wandy] ip firewall rule forward> add protocol=icmp out-interface=Public \

\... comment="Allow ICMP ping packets"

[admin@Wandy] ip firewall rule forward> add src-address=192.168.0.17/32 \

\...out-interface=Public \

\... comment="Allow outgoing connections from the server ad 192.168.0.17"

[admin@Wandy] ip firewall rule forward> add action=reject out-interface=Public \

\... log=yes comment="Reject everything else"

[admin@Wandy] ip firewall rule forward> print

Flags: X - disabled, I - invalid, D - dynamic

0 out-interface=Local action=jump jump-target=customer

1 ;;; Allow ICMP ping packets

out-interface=Public protocol=icmp action=accept

2 ;;; Allow outgoing connections from the server ad 192.168.0.17

src-address=192.168.0.17/32 out-interface=Public action=accept

3 ;;; Reject everything else

out-interface=Public action=reject log=yes

[admin@Wandy] ip firewall rule forward>

Example of Source NAT (Masquerading)

If you want to "hide" the private LAN 192.168.0.0/24 "behind" one address 10.0.0.217 given to you

by the ISP (see the network diagram in the Application Example above), you should use the source

network address translation (masquerading) feature of the Wandy router. The masquerading will

change the source IP address and port of the packets originated from the network 192.168.0.0/24 to

the address 10.0.0.217 of the router when the packet is routed through it.

To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall

configuration:

[admin@Wandy] ip firewall src-nat> action=masquerade out-interface=Public

[admin@Wandy] ip firewall src-nat> print

Flags: X - disabled, I - invalid, D - dynamic

0 out-interface=Public action=masquerade

[admin@Wandy] ip firewall src-nat>

All outgoing connections from the network 192.168.0.0/24 will have source address 10.0.0.217 of

the router and source port above 1024. No access from the Internet will be possible to the Local