IPCHAINS
Duncan
drack at mweb.co.zw
Wed Jul 21 06:59:03 UTC 2004
----- Original Message -----
From: "Pete Nesbitt" <pete at linux1.ca>
To: "Duncan" <drack at mweb.co.zw>; "General Red Hat Linux discussion list"
<redhat-list at redhat.com>
Sent: Wednesday, July 21, 2004 6:59 AM
Subject: Re: IPCHAINS
> On July 19, 2004 11:23 pm, Duncan wrote:
> > > On July 19, 2004 12:00 am, Duncan wrote:
> > > > Still this simple firewall is not allowing traffic from me ISP and
the
> > > > CLIENT but traffic on the LAN is flowing , all i want to do is
allowa
> > > > traffic from me to the client , the client has squid so there is no
> > > > need for masquarading .Hw do i do that with tis firewall.
> > > >
> > > > # Setting default to deny all
> > > > /sbin/ipchains -P input DENY
> > > > /sbin/ipchains -P output DENY
> > > > /sbin/ipchains -P forward DENY
> > > >
> > > >
> > > > #allowing localhost
> > > > /sbin/ipchains -A input -j ACCEPT -p all -s localhost -d
localhost
> > > > -i
> >
> > lo
> >
> > > > /sbin/ipchains -A output -j ACCEPT -p all -s localhost -d
localhost
> > > > -i
> >
> > lo
> >
> > > > #Deny packets from internet claiming to be from localhost and log
> > > > /sbin/ipchains -A input -j REJECT -p all -s localhost -i ppp0 -l
> > > >
> > > > #Deny packets that mimic internal IPs and log
> > > > /sbin/ipchains -A input -j REJECT -p all -s clientLAN/24 -i
ppp0 -l
> > > >
> > > > #Allow packets from ISP
> > > > /sbin/ipchains -A input -j ACCEPT -p all -s ISPrange/24 -d
> > > > ientLAN/24 -i ppp0
> > > >
> > > > #Allow packets from LAN
> > > > /sbin/ipchains -A output -j ACCEPT -p all -s client/24 -d
> >
> > ISPrange/24 -i
> >
> > > > ppp0
> > > >
> > > > #Allow outgoing packets thru internal interface
> > > > /sbin/ipchains -A input -j ACCEPT -p all -s clientLAN/24 -i
eth0
> > > > /sbin/ipchains -A output -j ACCEPT -p all -s clientLAN/24 -i
eth0
> > > >
> > > > > ----- Original Message -----
> > > > > From: "Duncan" <drack at mweb.co.zw>
> > > > > To: "General Red Hat Linux discussion list"
<redhat-list at redhat.com>
> > > > > Sent: Friday, July 16, 2004 9:10 AM
> > > > > Subject: IPCHAINS
> > > > >
> > > > >
> > > > > would the following ipchains stop tcp connections from anyone else
> >
> > other
> >
> > > > > than iprange , the ips in LAN 195.167.2.0/24
> > > > >
> > > > > /sbin/ipchains -F
> > > > > /sbin/ipchains -P input -p tcp DENY
> > > > > /sbin/ipchains -A input -p tcp -s iprange/24 -d
> >
> > 5.167.2.0/24 -j
> >
> > > > > ACCEPT
> > > > > /sbin/ipchains -A input -p udp -s iprange/24 -d
> >
> > 5.167.2.0/24 -j
> >
> > > > > ACCEPT
> > > > > /sbin/ipchains -A input -p icmp -s iprange/24 -d
> >
> > 5.167.2.0/24 -j
> >
> > > > > ACCEPT
> > > > >
> > > > > Please advice
> > > > >
> > > > > ---------------------------
> > > > > Duncan Rack
> >
> > ----- Original Message -----
> > From: "Pete Nesbitt" <pete at linux1.ca>
> > To: "Duncan" <drack at mweb.co.zw>; "General Red Hat Linux discussion list"
> > <redhat-list at redhat.com>
> > Sent: Tuesday, July 20, 2004 3:07 AM
> > Subject: Re: IPCHAINS
> >
> > > Hi Duncan,
> > > I'm not sure I understand the whole layout, but if you're using both
ppp
> >
> > and
> >
> > > Ethernet, you will also need to add FORWARD rules to connect traffic
> > > going between them (if needed). IPchains was a bit more involved than
> > > IPtables
> >
> > is
> >
> > > because instead of just having a forward rule for routed packets,
> > > IPchains requires you set an input->forward->output set of rules.
> > >
> > > You may be best to post the exact senario (who is on what interface
and
> >
> > who
> >
> > > they need to talk to), as well as the whole rules script.
> > >
> > > Is there a reason you're using ipchains and not iptables?
> > > --
> > > Pete Nesbitt, rhce
> >
> > Hi Pete,
> >
> > Thanks , the box has RH6.2 , i gues i am kinda of more familiar with
> > ipchains. The whole idea is to allow the LAN to communicate thru the
linux
> > box with the ISP thru any ports and vice versa and then disallow traffic
> > from ANY outsider .
> > 1) The linux box already has squid and wat i dont know now is if i put
> > forward rules , wont it mean there will be IP masquarading i.e every
> > machine will be able to browse and do anything and hence complicate the
> > firewall , more rules ,port specifications etc...
> > 2) is there anything amiss with the firewall though? its working as far
as
> > the LAN but when it comes to communicating with the ISP ....NOTHING !!!!
> >
> > Please help!!!
>
>
> Hi Duncan,
> IP Masquarading is separate from the 'forward' routing rules. As long as
your
> internal networks IP's are valid IP's you can use on the INternet (i.e.
you
> own) and your ISP routes them for you, you don't need masqarading. There
is
> no difference on the LAN side of the firewall, as right now all machines
> could browse the internet if forwarding in in place. So, no I don't think
it
> would complicate your firewall.
>
> So I see the network as this:
>
> LAN <ethernet> FW <ppp> ISP <-> Internet
>
> As long as the LAN boxes have the fw as default gateways, and the fw has
the
> PPP connection to the ISP as it's dfault gateway, you rules should be
fine.
>
> You'll need to walk each connection thru the fw using an 'input, forward,
> output' path. Your basic rules look like they will work once the 'paths'
are
> complete. Does your ISP range need to be allowed to initiate a session or
is
> that so you can get to them for proxy or something, if so you should set
them
> up to not allow syn packets inbound to your LAN. You may also want to add
ssh
> from your workstaion to the fw.
>
> Hope that helps.
> --
> Pete Nesbitt, rhce
Hi Pete,
I guess i just have to try wat you are saying , it really does make sense .
The thing is i just wanted the firewall to be so simpe that it would not
involve much modifications in the future should someone want some changes.
Thanks a million .Someone had said if u noticed that forwarding is not
necessary .Thanks
More information about the redhat-list
mailing list