I'm having a problem with ipchains, the problem is that if I uncomment the line "ipchains -P input REJECT", then the masqurading entries quit working (kind of) I can still masq to a telnet session but nothing else. Here's what I've got ( where $extip is the ipaddress of the external adapter (eth0)) any help is much appreciated David Scott # # config: # 192.168.100.0/16 -> eth1 # xxx.xxx.xxx.xxx/32 -> eth0 (internet) # ipchains -F input ipchains -F output ipchains -F forward ipchains -A input -i !lo -j DENY ipchains -A output -i !lo -j DENY ipchains -M -S 7200 10 60 ipchains -P forward DENY ipchains -A forward -s 192.168.100.0/24 -i eth0 -j MASQ ipchains -A forward -i lo -j ACCEPT ipchains -A input -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A input -p icmp --icmp-type source-quench -j ACCEPT ipchains -A input -p icmp --icmp-type time-exceeded -j ACCEPT ipchains -A input -p icmp --icmp-type parameter-problem -j ACCEPT ipchains -A input -p icmp ! -s 192.168.100.0/24 --icmp-type echo-request -j REJECT # # accept DNS traffic on both UDP and TCP # ipchains -A input -p udp -s xxx.xxx.xxx.xxx 53 -j ACCEPT ipchains -A input -p tcp -s xxx.xxx.xxx.xxx -j ACCEPT # # accept incoming SMTP, GLFTPD, TELNET, AUTH requests # since tcp-wrappers handle the security for most of these # ipchains -A input -p tcp -d $extip smtp -j ACCEPT ipchains -A input -p tcp -d $extip www -j ACCEPT ipchains -A input -p tcp -d $extip glftpd -j ACCEPT ipchains -A input -p tcp -d $extip telnet -j ACCEPT ipchains -A input -p tcp -d $extip auth -j ACCEPT ipchains -A input -p tcp -d $extip 6363 -j ACCEPT ipchains -A input -p udp -d $extip 6363 -j ACCEPT ipchains -A input -p tcp -d $extip ssh -j ACCEPT ipchains -A input -p TCP -d $extip 6000 -j REJECT ipchains -A input -p TCP -d $extip netbios-ssn -j REJECT ipchains -A input -p TCP -d $extip time -j REJECT ipchains -P input REJECT
with masq entries, do you mean "ipchains -A forward -s 192.168.100.0/24 -i eth0 -j MASQ" ? also, i would place the policies in the config first before any other rules. could you email me (privately) with the output of 'ipchains -L'? and the lines where you DENY all of the input and output chains except for the 'lo' interface should conceptually be changed to ipchains -P input REJECT ipchains -P output REJECT ipchains -A input -i lo -j ACCEPT ipchains -A output -i lo -j ACCEPT in general, the policies should express the base case and all exceptions should be rules. what i don't like about your config is that it is not very ordered, which makes administration harder. i would suggest the following format: 1) the three policies with DENY targets 2) obvious input rules such as allowing all -i lo traffic 3) input rules that you would like to direct to REJECT 4) regular input rules 5) repeat 2-4 for chain forward 6) repeat 2-4 for chain output 7) include a log line for every chain. ipchains -A input -l this way, it helps to configure your chains properly and it gives you some idea in the syslog of what requests arrive at the policy. it is best to have a rule for everything that you expect and only let the policy act when something unexpected happens. that makes attempted hack attacks easy to spot. martin madduck@madduck.net (greetings from the heart of the sun)
participants (2)
-
MaD dUCK
-
Scott, David