Tahoe 681 User Manual - 4.3.13
20
An IP address may be assigned to an interface, together with
subnet mask and broadcast address. A dynamic ARP may also be
enabled or disabled.
The “bridge” parameter allows to include or exclude certain
protocol from bridging, when the modem works in the bridge mode.
4.3.13.
ipchains
The command is used to control the firewall and the network
address translation (NAT, called also “masquerade” - that is giving a
network an access to the Internet using only one real IP address).
¡
ipchains add
- adds an entry at the end of the list
¡
ipchains insert
- adds an entry at the beginning of the list
¡
ipchains del
- removes an entry
¡
ipchains list
- displays current settings
¡
ipchains flush
- removes all entries from the list
After the “add”, “insert” or “del” option following parameters
should be given:
¡
-s
Defines the source addresses which this entry concerns. If this
parameter is omitted, then the entry concerns all source addresses.
¡
-d
Defines the destination addresses which this entry concerns. If
this parameter is omitted, then the entry concerns all destination
addresses.
¡
-p
Optionally the application of this rule may be limited to a certain
protocol.
¡
-y (optional)
The rule may be applied to the TCP SYN packets only (i.e. the
packets that initiate the TCP connection). It allows inhibiting the
incoming connections while the returning packets for the outgoing ones
will be passed.
21
¡
-m
By default during the masquerade an outgoing interface’s IP
address is used. The option above allows forcing use of another address.
¡
accept / deny / masq - information, what to do with a packet,
that conforms to a given rule (accept / discard / masquerade)
Note:
The modem always chooses the first matching rule from
the list. So if the more general rule comes first, and the more
specific is later, then the first one will be applied and the last one -
ignored. Thus the specific rule has to be inserted before the
general one, as in following example:
ipchains add -s 215.16.11.0/24 deny
ipchains insert -s 215.16.11.5 accept
Commands above inhibit the access for the whole 215.16.11.0/24
subnet except the 215.16.11.5 address.
More examples:
ipchains add d 0.0.0.0/0 80-80 p tcp deny
Inhibits access to the port 80 on all external servers.
ipchains add s 192.168.0.0/16 masq
Enables masquerade for the 192.168.0.0/16 subnet (other
addresses are passed unchanged)
4.3.14.
lang
Selects the language used to display messages during the telnet
or console connection and on the LCD:
Note:
The specific“accept” rule (concerning one IP address) has
to be inserted before the general one (concerning the whole
subnet), either using the “insert” command as in the example
above or by adding the specific rule first and then the general one.
Otherwise the router will always apply the first rule and will never
reach the second one, as the packet coming from 215.16.11.5 fits
both of them and if the general one is first, then it will be applied.