Configuring IP Filter
If you run the SRC software on a Solaris platform, you use IP Filter to redirect subscriber requests for inappropriate or unsubscribed Web access. You specify Network Address Translation (NAT) rules in a configuration file that IP Filter uses to redirect traffic. When a packet arrives that matches a rule, its destination address is mapped as specified in the rule.
To install and configure IP Filter:
For information about installing the IP Filter component of the captive portal system, see SRC-PE Getting Started Guide, Chapter 33, Installing the SRC Software on a Solaris Platform.
- Access the IP Filter directory.
cd /etc/opt/ipf- Create the NAT file /etc/opt/ipf /ipnat.conf.
- Add a rule to the ipnat.conf file to direct unauthorized traffic, and other rules, as needed to specify which traffic is to be redirected and to specify the destination for the redirected traffic.
Create one rule for every interface on which redirected traffic can be received. For example, if you install the redirect server in a central location and set up multiple tunnel interfaces, you create one redirect rule for each tunnel interface. When you add rules to the ipnat.conf file, add a rule for authorized traffic followed by a rule for unauthorized traffic.
You can issue the ifconfig -a command to determine which network interfaces are configured on the host. You cannot use localhost (127.0.0.1) as a destination.
See the UNIX man pages for ipnat and ipf for more information about configuring IP Filter.
- Update and start IP traffic filtering.
/etc/init.d/ipfboot start- View active rules and sessions.
/sbin/ipnat -lThe following sections give examples of the types of rules that you can configure by using IP Filter.
Example: Creating a Rule to Redirect Traffic to a Different Port Number
To enable subscribers to connect to the Web using the standard port, 80, for a Web server running on nonstandard port 8080, edit the ipnat.conf file on each Web server host to create a rule in the following format:
rdr ifName IpAddress/32 port 80 -> IpAddress port 8080 tcprdr hme0 192.168.1.1/32 port 80 -> 192.168.1.1 port 8080 tcpThis rule filters legitimate traffic destined for the Web server and redirects it as follows:
- Filters HTTP traffic that has a destination of standard port 80 and that meets the following criteria:
- Has a destination of the specified masked IP address (the publicly known address for the Web server, stored in the JUNOSe router IP routing table).
- Arrives on the primary network interface on the SAE host that receives traffic by means of the JUNOSe router.
The target IP address must be an address that exists on the Web server and must be different from localhost (127.0.0.1).
Example: Creating a Rule to Redirect Unauthorized Traffic
To redirect invalid traffic, on each host in which you have installed the redirect server, add a rule to the ipnat.conf in the following format:
rdr ifName 0.0.0.0/0 port 80 -> IpAddress port 8800 tcprdr hme0 0.0.0.0/0 port 80 > 10.227.1.163 port 8800 tcp