[linux-help] Re: ipchains question

[Jeff Vian <jvian10@xxxxxxxxxxx>]

Benjamin Bunck wrote:
> 
> On Mon, 25 Mar 2002, Jeff Vian wrote:
> 
> <snip>
> 
> >
> > > I like this idea, except don't I still have to be able to accept packets
> > > on the input chain for all of the web/ftp servers I connect to?  If so, I
> > > don't know if it would be efficient for me to add them to my script on a
> > > per-host basis.
> > >
> > > Thanks again,
> > >
> > > Ben
> > >
> 
> <snip>
> 
> >
> >
> > NO.
> > The link originates from you, thus it is an output connection and the
> > input rule does not apply.
> > The input rule applies to any connection that originates outside your
> > system.
> >
> >
> 
> Then why is it that I can ssh to, say, $SOMEONES_IP, but when I add the
> rule:
> 
> ipchains -A input -i eth0 -s $SOMEONES_IP -d 0.0.0.0/0 -j REJECT
> 
> to the beginning of my ipchains script, ssh to $SOMEONES_IP just hangs,
> and never connects?
> 

ssh is not the same as most connections.
with ssh it requires a 2-way connection (as I understand it) for
security so even though you originate the connection it also requires a
connection that originates from the other end in reply. In other words,
you initiate the connection, but the other end has to initiate a
parallel connection to verify your address is not spoofed. The
connection is then handed off to the reply link, thus the input rule.

Try ftp or telnet with your input rule in place and you should see the
difference.

For ssh you will require a rule on the input chain that will allow the
connection.

 ipchains -A input -i eth0 -s $SOMEONES_IP -d $YOUR.IP -j ALLOW



> <snip>
> 
> -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi