Complete.Org: Mailing Lists: Archives: linux-help: March 2002:
[linux-help] Re: Networking problems - 		Home

[linux-help] Re: Networking problems -

[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: linux-help@xxxxxxxxx
Subject: [linux-help] Re: Networking problems -
From: Jeff Vian <jvian10@xxxxxxxxxxx>
Date: Mon, 25 Mar 2002 21:27:09 -0600
Reply-to: linux-help@xxxxxxxxx 
Bob Goodwin wrote:
> 
> Jeff Vian wrote:
> 
> > what are the rules for ipchains?
> 
> [root@localhost root]# ipchains -L
> Chain input (policy DENY):

this is good, but may be the source of the problem.  It denys any and
all connections that are not explicitly allowed. Thus anything that does
not meet one of the ALLOW rules below will be blocked.
With this policy, you must have a rule that explicitly matches or the
packet will be blocked. It will check every packet against every rule
until it finds one that matches or it reaches the end of the chain.


My input policy is ALLOW, and I use portsentry with a limited number of
services running to block inputs.  Any probe to one of the ports that
portsentry monitors results in a DENY rule for the probing host
automatically. Then portsentry is set to ignore those hosts I explicitly
want to have access on the monitored ports.


> target     prot opt     source                destination
> ports
> ACCEPT     udp  ------  ns3.tampabay.rr.com  anywhere
> domain ->   1025:65535
> ACCEPT     udp  ------  ns1.tampabay.rr.com  anywhere
> domain ->   1025:65535
> ACCEPT     udp  ------  ns2.tampabay.rr.com  anywhere
> domain ->   1025:65535
> ACCEPT     all  ------  localhost.localdomain localhost.localdomain  n/a

This seems OK, Mine is set up similarly by pump and ipchains.

I am running a cacheing nameserver on the firewall machine and doing
ipmasquerading as well.
the gateway/firewall acts as nameserver for the internal network.
I am running tripwire and portsentry as well, which help me keep the
system free of attack and tell me if it does become compromised.


> 
> ACCEPT     tcp  !y----  anywhere             anywhere              any
> ->   any

This will meet all packets that are not SYN packets. Thus allows only
communications after the connection is made, and blocks the SYN packets
that set up the connection.
With a DENY policy this will block all input TCP connections.

> ACCEPT     tcp  ------  anywhere             anywhere              any
> ->   ssh
> ACCEPT     udp  ------  anywhere             anywhere
> domain ->   any

This one opens up the input chain to ANY UDP packets originating on port
53.

> ACCEPT     udp  ------  anywhere             anywhere
> bootps ->   any
> ACCEPT     udp  ------  anywhere             anywhere
> bootpc ->   any

Why bootp?  Are you running a bootp server?

> ACCEPT     icmp ------  anywhere             anywhere              any
> ->   any



> Chain forward (policy DENY):

This is good. If you are needing ipmasquerading add a chain to allow
forwarding only from your internal network, and only those that are
received on the internal NIC, to prevent ip spoofing attacks.

> Chain output (policy ACCEPT):

this is good
and should allow you to connect to everything FROM this box to ANY other
box.

  
You do not say if each box1 and box2 have an independent internet
connection.
If they do, each box needs a similar ipchains set of rules.
My default config for ipchains, with ipmasquerading active, and a
private network behind the firewall is this.

The difference between my input chain and yours is this
Every rule is parsed. If an explicit match is found the target action is
taken.
If the end of the chain is reached without a match the packet is
allowed.
Thus mine is mostly open while yours is mostly closed.

Chain input (policy ACCEPT):
target     prot opt     source                destination   ports
DENY       all  ----l-  168.212.90.12      anywhere        n/a
DENY       all  ----l-  211.192.100.15     anywhere        n/a
(these 2 lines above are examples of lines added by portsentry)
ACCEPT     udp  ------  nr1.ftwrth.tx.charter.com  anywhere     domain
->   1025:65535
ACCEPT     udp  ------  nr2.ftwrth.tx.charter.com  anywhere     domain
->   1025:65535
(these 2 lines above are redundant because of the ACCEPT policy, but are
added by pump and/or bind)
Chain output (policy ACCEPT):
Chain forward (policy DENY):
target     prot opt     source                destination   ports
MASQ       all  ------  192.168.2.0/24      anywhere       n/a






> 
> >
> >
> >   as root use    'ipchains -L'   to list all rules.
> > then look for the policy and specific rules for each of the default
> > chains
> >      forward
> >      input
> >      output
> > --
> 
> Those are the rules from this box, ought to be the same on both?  I'm
> not sure I understand all the notation.
> 
> Please excuse the delay in getting back, I had some other problems, not
> the least of which was the road runner system requiring that I fire up
> another computer, and fix Windows in order to run their diagnostic
> software since they weren't answering their phone and I didn't know if
> they were down or if I broke something.  Things sare back to normal
> again.
> 
> Bob G -
> 
> -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
[Prev in Thread] Current Thread [Next in Thread]