IPCHAINS

Pete Nesbitt pete at linux1.ca
Wed Jul 21 04:59:06 UTC 2004 

On July 19, 2004 11:23 pm, Duncan wrote:
> > On July 19, 2004 12:00 am, Duncan wrote:
> > > Still this simple firewall is not allowing traffic from me ISP and the
> > > CLIENT but traffic on the LAN is flowing , all i want to do is allowa
> > > traffic from me to the client , the client has squid so there is no
> > > need for masquarading .Hw do i do that with tis firewall.
> > >
> > > # Setting default to deny all
> > >   /sbin/ipchains -P input   DENY
> > >   /sbin/ipchains -P output  DENY
> > >   /sbin/ipchains -P forward DENY
> > >
> > >
> > > #allowing localhost
> > >   /sbin/ipchains -A input  -j ACCEPT -p all -s localhost -d localhost
> > > -i
>
> lo
>
> > >   /sbin/ipchains -A output -j ACCEPT -p all -s localhost -d localhost
> > > -i
>
> lo
>
> > > #Deny packets from internet claiming to be from localhost and log
> > >   /sbin/ipchains -A input  -j REJECT -p all -s localhost  -i ppp0 -l
> > >
> > > #Deny packets that mimic internal IPs and log
> > >   /sbin/ipchains -A input -j REJECT -p all -s clientLAN/24 -i ppp0 -l
> > >
> > > #Allow packets from ISP
> > >   /sbin/ipchains -A input -j ACCEPT -p all -s ISPrange/24  -d
> > > ientLAN/24   -i ppp0
> > >
> > > #Allow packets from LAN
> > >   /sbin/ipchains -A output  -j ACCEPT -p all -s client/24 -d
>
> ISPrange/24 -i
>
> > > ppp0
> > >
> > > #Allow outgoing packets thru internal interface
> > >    /sbin/ipchains -A input   -j ACCEPT -p all -s clientLAN/24 -i eth0
> > >    /sbin/ipchains -A output  -j ACCEPT -p all -s clientLAN/24 -i eth0
> > >
> > > > ----- Original Message -----
> > > > From: "Duncan" <drack at mweb.co.zw>
> > > > To: "General Red Hat Linux discussion list" <redhat-list at redhat.com>
> > > > Sent: Friday, July 16, 2004 9:10 AM
> > > > Subject: IPCHAINS
> > > >
> > > >
> > > > would the following ipchains stop tcp connections from anyone else
>
> other
>
> > > > than iprange , the ips in LAN 195.167.2.0/24
> > > >
> > > > /sbin/ipchains -F
> > > > /sbin/ipchains -P input -p tcp DENY
> > > > /sbin/ipchains -A input -p tcp   -s  iprange/24  -d
>
> 5.167.2.0/24   -j
>
> > > > ACCEPT
> > > > /sbin/ipchains -A input -p udp   -s  iprange/24  -d
>
> 5.167.2.0/24   -j
>
> > > > ACCEPT
> > > > /sbin/ipchains -A input -p icmp  -s  iprange/24  -d
>
> 5.167.2.0/24   -j
>
> > > > ACCEPT
> > > >
> > > > Please advice
> > > >
> > > > ---------------------------
> > > > Duncan Rack
>
> ----- Original Message -----
> From: "Pete Nesbitt" <pete at linux1.ca>
> To: "Duncan" <drack at mweb.co.zw>; "General Red Hat Linux discussion list"
> <redhat-list at redhat.com>
> Sent: Tuesday, July 20, 2004 3:07 AM
> Subject: Re: IPCHAINS
>
> > Hi Duncan,
> > I'm not sure I understand the whole layout, but if you're using both ppp
>
> and
>
> > Ethernet, you will also need to add FORWARD rules to connect traffic
> > going between them (if needed). IPchains was a bit more involved than
> > IPtables
>
> is
>
> > because instead of just having a forward rule for routed packets,
> > IPchains requires you set an input->forward->output set of rules.
> >
> > You may be best to post the exact senario (who is on what interface and
>
> who
>
> > they need to talk to), as well as the whole rules script.
> >
> > Is there a reason you're using ipchains and not iptables?
> > --
> > Pete Nesbitt, rhce
>
> Hi Pete,
>
> Thanks , the box has RH6.2 , i gues i am kinda of more familiar with
> ipchains. The whole idea is to allow the LAN to communicate thru the linux
> box with the ISP thru any ports and vice versa and then disallow traffic
> from ANY outsider .
> 1) The linux box already has squid and wat i dont know now is  if i put
> forward rules , wont it mean there will be IP masquarading i.e every
> machine will be able to browse and do anything and hence complicate the
> firewall , more rules ,port specifications etc...
> 2) is there anything amiss with the firewall though? its working  as far as
> the LAN but when it comes to communicating with the ISP ....NOTHING !!!!
>
> Please help!!!


Hi Duncan,
IP Masquarading is separate from the 'forward' routing rules. As long as your 
internal networks IP's are valid IP's you can use on the INternet (i.e. you 
own) and your ISP routes them for you, you don't need masqarading. There is 
no difference on the LAN side of the firewall, as right now all machines 
could browse the internet if forwarding in in place. So, no I don't think it 
would complicate your firewall.

So I see the network as this:

LAN <ethernet> FW <ppp> ISP <-> Internet

As long as the LAN boxes have the fw as default gateways, and the fw has the 
PPP connection to the ISP as it's dfault gateway, you rules should be fine.

You'll need to walk each connection thru the fw using an 'input, forward, 
output' path. Your basic rules look like they will work once the 'paths' are 
complete. Does your ISP range need to be allowed to initiate a session or is 
that so you can get to them for proxy or something, if so you should set them 
up to not allow syn packets inbound to your LAN. You may also want to add ssh 
from your workstaion to the fw.
 
Hope that helps.
-- 
Pete Nesbitt, rhce

More information about the redhat-list mailing list