IPCHAINS

Pete Nesbitt pete at linux1.ca
Wed Jul 21 13:05:56 UTC 2004 

On July 20, 2004 11:59 pm, Duncan wrote:
> ----- Original Message -----
> From: "Pete Nesbitt" <pete at linux1.ca>
> To: "Duncan" <drack at mweb.co.zw>; "General Red Hat Linux discussion list"
> <redhat-list at redhat.com>
> Sent: Wednesday, July 21, 2004 6:59 AM
> Subject: Re: IPCHAINS
>
> > On July 19, 2004 11:23 pm, Duncan wrote:
> > > > On July 19, 2004 12:00 am, Duncan wrote:
> > > > > Still this simple firewall is not allowing traffic from me ISP and
>
> the
>
> > > > > CLIENT but traffic on the LAN is flowing , all i want to do is
>
> allowa
>
> > > > > traffic from me to the client , the client has squid so there is no
> > > > > need for masquarading .Hw do i do that with tis firewall.
> > > > >
> > > > > # Setting default to deny all
> > > > >   /sbin/ipchains -P input   DENY
> > > > >   /sbin/ipchains -P output  DENY
> > > > >   /sbin/ipchains -P forward DENY
> > > > >
> > > > >
> > > > > #allowing localhost
> > > > >   /sbin/ipchains -A input  -j ACCEPT -p all -s localhost -d
>
> localhost
>
> > > > > -i
> > >
> > > lo
> > >
> > > > >   /sbin/ipchains -A output -j ACCEPT -p all -s localhost -d
>
> localhost
>
> > > > > -i
> > >
> > > lo
> > >
> > > > > #Deny packets from internet claiming to be from localhost and log
> > > > >   /sbin/ipchains -A input  -j REJECT -p all -s localhost  -i ppp0
> > > > > -l
> > > > >
> > > > > #Deny packets that mimic internal IPs and log
> > > > >   /sbin/ipchains -A input -j REJECT -p all -s clientLAN/24 -i
>
> ppp0 -l
>
> > > > > #Allow packets from ISP
> > > > >   /sbin/ipchains -A input -j ACCEPT -p all -s ISPrange/24  -d
> > > > > ientLAN/24   -i ppp0
> > > > >
> > > > > #Allow packets from LAN
> > > > >   /sbin/ipchains -A output  -j ACCEPT -p all -s client/24 -d
> > >
> > > ISPrange/24 -i
> > >
> > > > > ppp0
> > > > >
> > > > > #Allow outgoing packets thru internal interface
> > > > >    /sbin/ipchains -A input   -j ACCEPT -p all -s clientLAN/24 -i
>
> eth0
>
> > > > >    /sbin/ipchains -A output  -j ACCEPT -p all -s clientLAN/24 -i
>
> eth0
>
> > > > > > ----- Original Message -----
> > > > > > From: "Duncan" <drack at mweb.co.zw>
> > > > > > To: "General Red Hat Linux discussion list"
>
> <redhat-list at redhat.com>
>
> > > > > > Sent: Friday, July 16, 2004 9:10 AM
> > > > > > Subject: IPCHAINS
> > > > > >
> > > > > >
> > > > > > would the following ipchains stop tcp connections from anyone
> > > > > > else
> > >
> > > other
> > >
> > > > > > than iprange , the ips in LAN 195.167.2.0/24
> > > > > >
> > > > > > /sbin/ipchains -F
> > > > > > /sbin/ipchains -P input -p tcp DENY
> > > > > > /sbin/ipchains -A input -p tcp   -s  iprange/24  -d
> > >
> > > 5.167.2.0/24   -j
> > >
> > > > > > ACCEPT
> > > > > > /sbin/ipchains -A input -p udp   -s  iprange/24  -d
> > >
> > > 5.167.2.0/24   -j
> > >
> > > > > > ACCEPT
> > > > > > /sbin/ipchains -A input -p icmp  -s  iprange/24  -d
> > >
> > > 5.167.2.0/24   -j
> > >
> > > > > > ACCEPT
> > > > > >
> > > > > > Please advice
> > > > > >
> > > > > > ---------------------------
> > > > > > Duncan Rack
> > >
> > > ----- Original Message -----
> > > From: "Pete Nesbitt" <pete at linux1.ca>
> > > To: "Duncan" <drack at mweb.co.zw>; "General Red Hat Linux discussion
> > > list" <redhat-list at redhat.com>
> > > Sent: Tuesday, July 20, 2004 3:07 AM
> > > Subject: Re: IPCHAINS
> > >
> > > > Hi Duncan,
> > > > I'm not sure I understand the whole layout, but if you're using both
>
> ppp
>
> > > and
> > >
> > > > Ethernet, you will also need to add FORWARD rules to connect traffic
> > > > going between them (if needed). IPchains was a bit more involved than
> > > > IPtables
> > >
> > > is
> > >
> > > > because instead of just having a forward rule for routed packets,
> > > > IPchains requires you set an input->forward->output set of rules.
> > > >
> > > > You may be best to post the exact senario (who is on what interface
>
> and
>
> > > who
> > >
> > > > they need to talk to), as well as the whole rules script.
> > > >
> > > > Is there a reason you're using ipchains and not iptables?
> > > > --
> > > > Pete Nesbitt, rhce
> > >
> > > Hi Pete,
> > >
> > > Thanks , the box has RH6.2 , i gues i am kinda of more familiar with
> > > ipchains. The whole idea is to allow the LAN to communicate thru the
>
> linux
>
> > > box with the ISP thru any ports and vice versa and then disallow
> > > traffic from ANY outsider .
> > > 1) The linux box already has squid and wat i dont know now is  if i put
> > > forward rules , wont it mean there will be IP masquarading i.e every
> > > machine will be able to browse and do anything and hence complicate the
> > > firewall , more rules ,port specifications etc...
> > > 2) is there anything amiss with the firewall though? its working  as
> > > far
>
> as
>
> > > the LAN but when it comes to communicating with the ISP ....NOTHING
> > > !!!!
> > >
> > > Please help!!!
> >
> > Hi Duncan,
> > IP Masquarading is separate from the 'forward' routing rules. As long as
>
> your
>
> > internal networks IP's are valid IP's you can use on the INternet (i.e.
>
> you
>
> > own) and your ISP routes them for you, you don't need masqarading. There
>
> is
>
> > no difference on the LAN side of the firewall, as right now all machines
> > could browse the internet if forwarding in in place. So, no I don't think
>
> it
>
> > would complicate your firewall.
> >
> > So I see the network as this:
> >
> > LAN <ethernet> FW <ppp> ISP <-> Internet
> >
> > As long as the LAN boxes have the fw as default gateways, and the fw has
>
> the
>
> > PPP connection to the ISP as it's dfault gateway, you rules should be
>
> fine.
>
> > You'll need to walk each connection thru the fw using an 'input, forward,
> > output' path. Your basic rules look like they will work once the 'paths'
>
> are
>
> > complete. Does your ISP range need to be allowed to initiate a session or
>
> is
>
> > that so you can get to them for proxy or something, if so you should set
>
> them
>
> > up to not allow syn packets inbound to your LAN. You may also want to add
>
> ssh
>
> > from your workstaion to the fw.
> >
> > Hope that helps.
> > --
> > Pete Nesbitt, rhce
>
> Hi Pete,
>
> I guess i just have to try wat you  are saying , it really does make sense
> . The thing is i just wanted the firewall to be so simpe that it would not
> involve much modifications in the future should someone want some changes.
>
> Thanks a million .Someone had said if u noticed that forwarding is not
> necessary .Thanks

Hi Duncan,
You will also need to activate forwarding by puting the value '1' in 
"/proc/sys/net/ipv4//ip_forward"
This can be done in /etc/syctl.conf, there is probably a line like:
net.ipv4.ip_forward = 0, so make it =1. 
If 6.2 dodn't have that, you can add to the top of your fw rules:
'echo "1" > /proc/sys/net/ipv4//ip_forward'

If IPtables uses less complicated rules, you really should have a look at it 
at www.netfilter.org
-- 
Pete Nesbitt, rhce

More information about the redhat-list mailing list