LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-05-2001, 03:05 PM   #1
Chypmunk
Member
 
Registered: Mar 2001
Distribution: redhat 7.0
Posts: 75

Rep: Reputation: 15
ipchains problem.


Hi! I recentally setup ipchains, and am having a few problems. I have read the HOWTO and some tutorials on setting up firewalls. I thought I had enough info and went about setting up the ipchains in redhat 7.0. The first thing I did was set the "forward" and "input" links to "REJECT" and output to "ACCEPT" when I did the ipchains --list thing, It told me that they were sucsessfully set.

I then decided I would allow the ports I planned on using. I used the -P input -p TCP --dport *portnumber* -j ACCEPT command and it added the port number to the link "input" and it said "ACCEPT" in front of it when I did the --list thing. It didn't appear to be able to accept any information. what is wrong with my firewall? It wouldn't connect to my local web server, and in Opera, it says on the amount recieved bar "0k". Why isn't my firewall letting anything thru?

Any help would be greatly appreciated. Thankyou.
 
Old 07-05-2001, 04:25 PM   #2
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 47
Post a listing of the output from ipchains -L so we can see whats set.

I'll then make educated guesses, and Raz will give you the correct answer...

cheers!!

Jamie...
 
Old 07-05-2001, 04:51 PM   #3
Chypmunk
Member
 
Registered: Mar 2001
Distribution: redhat 7.0
Posts: 75

Original Poster
Rep: Reputation: 15
Here we go!

When I type the "ipchains --list" (same as -L) I get a nice little chart. It goes a little somthin like this:
chain input (policy DENY)
target prot opt scource destination port
ACCEPT tcp ------ anywhere anywhere any->www
chain forward (policy ACCEPT)
chain output (policy ACCEPT)

The only port I had set up when I did this was port 80 which is the www port..

could this be telling it to deny the port www and leave all other ports open?

I dunno.. whell, there is the info.. Please help me get this up and running..
thanx

Chyp
 
Old 07-05-2001, 05:05 PM   #4
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 47
Uhm.. thats seems to make sense to me and looks about right. I assume you can get to the local web server if you kill all your firewall rules with
Code:
ipchains -F
yeah??

Cheers

Jamie...
 
Old 07-05-2001, 07:35 PM   #5
Chypmunk
Member
 
Registered: Mar 2001
Distribution: redhat 7.0
Posts: 75

Original Poster
Rep: Reputation: 15
yep... If I flush all the rules, It will work, Or if I set the policy to ACCEPT. Can't figure out whats wrong..
 
Old 07-06-2001, 03:39 AM   #6
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 47
As a stop gap measure you can always leave the policy on accept then add rules to block your active ports, say 1-1024 then any higher ports that are running.

cheers

Jamie...
 
Old 07-06-2001, 05:26 AM   #7
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Chypmunk,

Are you using NAT ? i.e windozes boxes using your linux box as a gateway for web access + others.

If so supply the internal network range you use + the different interfaces on the liniux box from #ifconfig -a

Then I can give you more info on how to stop spoofing etc etc etc

In the mean time I typed out a small example so you can see what you should be doing.

An example/assumptions of your ip settings for the ipchain rules

Your linux boxes internal ip = 192.168.12.1 "eth0"
Your linux boxes external ISP ip = 65.12.32.122 "eth1"
Your ISP's DNS1 server ip = 65.12.32.12
Your ISP's DNS2 server ip = 65.12.32.13

# try this:
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# clear all ipchains settings
ipchains -F
# Deny all access to server secure mode enabled.
ipchains -P input REJECT
ipchains -P output REJECT
ipchains -P forward REJECT
# sets timeout vaules for FIN flags etc..
ipchains -M -S 4800 15 200
# localhost access
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
# allow internal subnet full access only to internal interface
ipchains -A input -i eth0 -s 192.168.12.0/24 -j ACCEPT
ipchains -A output -i eth0 -d 192.168.12.0/24 -j ACCEPT
#stops spoofing to internal ips from epn
ipchains -A input -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A input -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A forward -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A forward -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A output -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A output -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A input -i eth0 -s 10.0.0.0/8 -d 0/0 -j DENY -l
ipchains -A input -i eth0 -s 172.16.0.0/12 -d 0/0 -j DENY -l
ipchains -A input -i eth0 -s 192.168.0.0/16 -d 0/0 -j DENY -l
ipchains -A input -i eth0 -s 127.0.0.0/8 -d 0/0 -j DENY -l
ipchains -A input -i eth0 -s 255.255.255.255 -j DENY -l
ipchains -A input -i eth0 -d 0.0.0.0 -j DENY -l
# turns off udp traceroutes
ipchains -A input -p udp -d 65.12.32.122 -s 0/0 33434:33600 -j DENY -l

# allow DNS1 to go out/in
ipchains -A output -p tcp -s 65.12.32.122 1023:65535 --dport 53 -j ACCEPT
ipchains -A input -p tcp ! -y -s 65.12.32.12 --sport 53 -d 65.12.32.122 1023:65535 -j ACCEPT
# DNS1 lookup udp out/in
ipchains -A output -p udp -s 65.12.32.122 1023:65535 --dport 53 -d 0/0 -j ACCEPT
ipchains -A input -p udp -s 65.12.32.12 --sport 53 -d 65.12.32.122 1023:65535 -j ACCEPT
# allow DNS2 to go out/in
ipchains -A output -p tcp -s 65.12.32.122 1023:65535 --dport 53 -j ACCEPT
ipchains -A input -p tcp ! -y -s 65.12.32.13 --sport 53 -d 65.12.32.122 1023:65535 -j ACCEPT
# DNS2 lookup udp out/in
ipchains -A output -p udp -s 65.12.32.122 1023:65535 --dport 53 -d 0/0 -j ACCEPT
ipchains -A input -p udp -s 65.12.32.13 --sport 53 -d 65.12.32.122 1023:65535 -j ACCEPT

Web access out/in
# HTTP 80 access
# change speed of packets with TOS setting
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 80 -t 0x01 0x10 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 80 -d 65.12.32.122 1023:65535 -j ACCEPT
# HTTPS 443 access
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 443 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 443 -d 65.12.32.122 1023:65535 -j ACCEPT

# Stop pinging and other info people should ask for.
ipchains -A output -p icmp -s 0/0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 3 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 4 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 9 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 11 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 12 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 14 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 18 -d 0/0 -j ACCEPT
# deny attacks coming in
ipchains -A input -p icmp -s 0/0 --icmp-type 8 -d 0/0 -j DENY -l
ipchains -A input -p icmp -s 0/0 --icmp-type 5 -d 0/0 -j DENY -l
ipchains -A input -p icmp -s 0/0 --icmp-type 10 -d 0/0 -j DENY -l


-----------
This is just a small example. "trust me"
You'll have to set-up mail, shh and any other services that will need to go out.
Also you'll need to enable NAT with the "ipchains -A forward -i eth0 -j MASQ" option if you want any windows system to use it as a gateway.

enjoy,
Raz
 
Old 07-06-2001, 02:24 PM   #8
Chypmunk
Member
 
Registered: Mar 2001
Distribution: redhat 7.0
Posts: 75

Original Poster
Rep: Reputation: 15
Just to let you know, I am running a Linux workstation that I want to stop people from remotly accessing. It is the only computer I have, so it is not a gateway or proxy, or router.

I want every port blocked, exept for the ones I will use. I don't need SSH open because I don't use secure shells, and have no plans to do so in the future. I will need WWW (80), FTP (20, 21), stmp (25) and pop (110).

Thanks for everyones help.
Chypmnk
 
Old 07-07-2001, 10:06 AM   #9
Chypmunk
Member
 
Registered: Mar 2001
Distribution: redhat 7.0
Posts: 75

Original Poster
Rep: Reputation: 15
k. I think I got somthing figured out. When looking at my windoze firewall logs, The remote port is usually 80 and the local port is usually in the 10** range. From what I understand, the IPCHAINS setup will only let stuff come in on my port 80. Is it possible to set IPCHAINS up to accept things from the remote port 80? that way as long as it is http related, It will be allowed thru..

Thanx for your help.
chypmunk
 
Old 07-09-2001, 03:34 AM   #10
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
To allow access from the internet to your Linux IP address's port 80 "HTTPD" service you would use this command.

ipchains -A input -p tcp -s 0/0 --sport 1023:65535 -d 65.12.32.122 --dport 80 -j ACCEPT
ipchains -A output -p tcp -s 65.12.32.122 --sport 80 -d 0/0 -j ACCEPT

Change it to port 443 SSL for HTTPS incoming.

The other examples I posted show you how to allow outgoing non syn connected connections, to enable SMTP and POP access.

/Raz
 
Old 07-09-2001, 02:20 PM   #11
Chypmunk
Member
 
Registered: Mar 2001
Distribution: redhat 7.0
Posts: 75

Original Poster
Rep: Reputation: 15
what does the -d *ipaddress* do, and what IP do I put there?
 
Old 07-10-2001, 03:39 AM   #12
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Remember in my example:
I made these up as we don't know your ip addresses

Your linux boxes internal ip = 192.168.12.1 "eth0"
Your linux boxes external ISP ip = 65.12.32.122 "eth1"
Your ISP's DNS1 server ip = 65.12.32.12
Your ISP's DNS2 server ip = 65.12.32.13

-d is destination address
-s is source ip address

ipchains -A input -p tcp -s 0/0 --sport 1023:65535 -d 65.12.32.122 --dport 80 -j ACCEPT

so it's your Linux boxes IP address assigned to you by your ISP.

-s 0/0 is from any source.

/Raz
 
Old 07-10-2001, 03:15 PM   #13
Chypmunk
Member
 
Registered: Mar 2001
Distribution: redhat 7.0
Posts: 75

Original Poster
Rep: Reputation: 15
Allrite then.. That has cleared everything up for me... I finally understand what has to happen.. Wouldn't it be the other way around tho, like have the scource port 80 and the local (d)port 1023-65535? I am not serving anything, and don't have plans on doing so, so it wouldn't have anything to do with the local port 80.. rite?

this is really clear now, Its just it might have been a typo?
 
Old 07-11-2001, 05:39 AM   #14
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
I got the impression you also wanted to allow people access to your own port 80 HTTPD "website"

This is the command to allow your system to talk to other websites on the internet.

ipchains -A input -p tcp ! -y -s 0/0 --sport 80 -d 65.12.32.122 1023:65535 -j ACCEPT
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 80 -t 0x01 0x10 -j ACCEPT

This is the command to allow people to talk to your webserver like apache if your running one.

ipchains -A input -p tcp -s 0/0 --sport 1023:65535 -d 65.12.32.122 --dport 80 -j ACCEPT
ipchains -A output -p tcp -s 65.12.32.122 --sport 80 -d 0/0 -j ACCEPT

Hope this helps,
Raz
 
Old 07-11-2001, 02:13 PM   #15
Chypmunk
Member
 
Registered: Mar 2001
Distribution: redhat 7.0
Posts: 75

Original Poster
Rep: Reputation: 15
thanks raz for your help.. I know what has to happen now..
If I block all the remote ports that I wouldn't use, and leave 1023 to 65535 open, would there be any security issues?


I don't think so, But lemme know anyway..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ipchains problem gz_xmg Linux - Security 4 04-08-2004 02:36 AM
Mail Relay problem IPCHAINS The Jesus Linux - Security 2 05-03-2002 05:02 AM
Problem with ipchains J_Szucs Linux - Newbie 17 11-29-2001 05:40 PM
Weird ipchains problem progressroom Linux - Security 1 09-27-2001 04:35 AM
IPChains problem DATA_OK Linux - Security 15 09-12-2001 08:00 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:41 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration