Re: Re: IP filtering

I think your problem is in the basics of how IP works. Without seeing the 
netmask, I'm betting both of these IPs are most likely subnet, 
255.255.255.0. If that is true, then no routing or filtering can take 
place the way you want. 

Think of it has everyone on 10.10.18.x being on a party line, everyone 
here's everyone else. You tell George(10.10.18.25) to not let 
John(10.10.18.54) hear or say something. For your filtering to work a few 
things must happen. These must be thought out before you start actually 
doing any of this since I don't anything about your network.

Logically you must seperate 10.10.18.25 and .54 on to seperate networks.

If the number of devices are small you could change the netmask to say 
255.255.255.224. This would create  8 32 address networks
1-31, 32-63, 64-95 etc. If you need more than that then you will need to 
change the subnet itself to say 10.10.19.x for the .54 address.

If you decide to change the network address to 10.10.19.x then ALL devices 
in the 10.10.18.x network must have their default gateways pointing to the 
400 at 10.10.18.25.

There is more to this than above but's it's the basics. The main thing is 
the packets can't have a way around whatever is filtering. To get from .25 
to .54 and get filtered, they must be on different networks. 


_____________________
Kirk Goins CCNA
Systems Engineer, Manage Inc.
IBM Certified iSeries Solutions Expert
IBM Certified iSeries e-Business Infrastructure
IBM Certified Designing IBM e-business Solutions 
Office 503-353-1721 x106 Cell 503-577-9519
kirkg@xxxxxxxxxxxxx      www.manageinc.com



"Steve McKay" <steve.mckay@xxxxxxxxxxxxxx> 
Sent by: web400-bounces@xxxxxxxxxxxx
12/17/2003 06:19 AM
Please respond to
Web Enabling the AS400 / iSeries <web400@xxxxxxxxxxxx>


To
web400@xxxxxxxxxxxx
cc

Subject
[WEB400] Re: IP filtering






Further information -

If 10.10.18.25 and 10.10.18.54 are both defined interfaces on a single
iSeries, the filter rules work fine.  Unfortunately, this is not what I 
need
to do - I need to use one system as a "traffic cop" to redirect requests 
to
a second system.

If 10.10.18.25 and 10.10.18.54 are on separate systems, the same filter
rules as above do not work.  I can only conclude that, when the IP filter
rules change the IP address in the packet, the packet does not get put 
back
out on the network.

Can anyone confirm or deny this?

Thanks,

Steve
"Steve McKay" <steve.mckay@xxxxxxxxxxxxxx> wrote in
message news:brdbpp$mr$1@xxxxxxxxxxxxxxxx
> Greetings list!
>
> I am attempting to forward HTTP requests from one iSeries Apache 
webserver
> to another on a private network (not VPN, just a non-Internet Ethernet
> network).  I have created the following IP packet rules:
>
> ADDRESS frontend   IP = 10.10.18.25   TYPE = BORDER
> ADDRESS backend   IP = 10.10.18.54   TYPE = TRUSTED
> HIDE backend:80   BEHIND frontend:80   TIMEOUT = 16   MAXCON = 512   JRN 
=
> OFF
>
> When I activate the rules and point the browser to 10.10.18.25, I get a
> "Cannot find server or DNS error" message but if I go directly to
> 10.10.18.54, I get the expected website.
>
> Any ideas?
>
>
>
> _______________________________________________
> This is the Web Enabling the AS400 / iSeries (WEB400) mailing list
> To post a message email: WEB400@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/web400
> or email: WEB400-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/web400.
>
>



_______________________________________________
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.