[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Configuring IP Filter

If you run the SRC software on a Solaris platform, you use IP Filter to redirect subscriber requests for inappropriate or unsubscribed Web access. You specify Network Address Translation (NAT) rules in a configuration file that IP Filter uses to redirect traffic. When a packet arrives that matches a rule, its destination address is mapped as specified in the rule.

To install and configure IP Filter:

  1. Install IP Filter on each server in which you want it to operate.

For information about installing the IP Filter component of the captive portal system, see SRC-PE Getting Started Guide, Chapter 33, Installing the SRC Software on a Solaris Platform.

  1. Access the IP Filter directory.
  2. cd /etc/opt/ipf
    
    
    
  3. Create the NAT file /etc/opt/ipf /ipnat.conf.
  4. Add a rule to the ipnat.conf file to direct unauthorized traffic, and other rules, as needed to specify which traffic is to be redirected and to specify the destination for the redirected traffic.

Create one rule for every interface on which redirected traffic can be received. For example, if you install the redirect server in a central location and set up multiple tunnel interfaces, you create one redirect rule for each tunnel interface. When you add rules to the ipnat.conf file, add a rule for authorized traffic followed by a rule for unauthorized traffic.

You can issue the ifconfig -a command to determine which network interfaces are configured on the host. You cannot use localhost (127.0.0.1) as a destination.

See the UNIX man pages for ipnat and ipf for more information about configuring IP Filter.

  1. Update and start IP traffic filtering.
  2. /etc/init.d/ipfboot start
    
    
    
  3. View active rules and sessions.
  4. /sbin/ipnat -l
    
    
    

The following sections give examples of the types of rules that you can configure by using IP Filter.

Example: Creating a Rule to Redirect Traffic to a Different Port Number

To enable subscribers to connect to the Web using the standard port, 80, for a Web server running on nonstandard port 8080, edit the ipnat.conf file on each Web server host to create a rule in the following format:

rdr ifName IpAddress/32 port 80 -> IpAddress port 8080 tcp

For example:

rdr hme0 192.168.1.1/32 port 80 -> 192.168.1.1 port 8080 tcp

This rule filters legitimate traffic destined for the Web server and redirects it as follows:

  1. Filters HTTP traffic that has a destination of standard port 80 and that meets the following criteria:
  1. Redirects filtered traffic to the specified target IP address on nonstandard port 8080.

The target IP address must be an address that exists on the Web server and must be different from localhost (127.0.0.1).

Example: Creating a Rule to Redirect Unauthorized Traffic

To redirect invalid traffic, on each host in which you have installed the redirect server, add a rule to the ipnat.conf in the following format:

rdr ifName 0.0.0.0/0 port 80 -> IpAddress port 8800 tcp

For example:

rdr hme0 0.0.0.0/0 port 80 > 10.227.1.163 port 8800 tcp

This rule redirects unauthorized traffic as follows:

  1. Filters all HTTP packets that have the destination port of 80 and that meet the following criteria:
  1. Redirects packets to the specified target IP address on port 8800. The redirect server listens on this port and redirects subscribers to the captive portal page that you define to handle this traffic.

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]