Complete.Org: Mailing Lists: Archives: linux-help: March 2002:
[linux-help] Re: ipchains question

[linux-help] Re: ipchains question

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]

To:	linux-help@xxxxxxxxx
Subject:	[linux-help] Re: ipchains question
From:	Benjamin Bunck <bbunck@xxxxxxxxxxxxxxxxxxxxx>
Date:	Tue, 26 Mar 2002 10:59:02 -0600 (CST)
Reply-to:	linux-help@xxxxxxxxx

On Tue, 26 Mar 2002, Jeff Vian wrote:

> 
> Benjamin Bunck wrote:
> > 
> > On Mon, 25 Mar 2002, Jeff Vian wrote:
> > 
> > <snip>
> > 
> > >
> > > > I like this idea, except don't I still have to be able to accept packets
> > > > on the input chain for all of the web/ftp servers I connect to?  If so, 
> > > > I
> > > > don't know if it would be efficient for me to add them to my script on a
> > > > per-host basis.
> > > >
> > > > Thanks again,
> > > >
> > > > Ben
> > > >
> > 
> > <snip>
> > 
> > >
> > >
> > > NO.
> > > The link originates from you, thus it is an output connection and the
> > > input rule does not apply.
> > > The input rule applies to any connection that originates outside your
> > > system.
> > >
> > >
> > 
> > Then why is it that I can ssh to, say, $SOMEONES_IP, but when I add the
> > rule:
> > 
> > ipchains -A input -i eth0 -s $SOMEONES_IP -d 0.0.0.0/0 -j REJECT
> > 
> > to the beginning of my ipchains script, ssh to $SOMEONES_IP just hangs,
> > and never connects?
> > 
> 
> ssh is not the same as most connections.
> with ssh it requires a 2-way connection (as I understand it) for
> security so even though you originate the connection it also requires a
> connection that originates from the other end in reply. In other words,
> you initiate the connection, but the other end has to initiate a
> parallel connection to verify your address is not spoofed. The
> connection is then handed off to the reply link, thus the input rule.
> 
> Try ftp or telnet with your input rule in place and you should see the
> difference.
> 
> For ssh you will require a rule on the input chain that will allow the
> connection.
> 
>  ipchains -A input -i eth0 -s $SOMEONES_IP -d $YOUR.IP -j ALLOW
> 



I'll give it a try...thanks for all of your help, Jeff!

Ben



> 
> 
> > <snip>
> > 
> > -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> > visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> 

-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi

[Prev in Thread]

Current Thread

[Next in Thread]

[linux-help] ipchains question, Benjamin Bunck, 2002/03/22
- [linux-help] Re: ipchains question, Jeff Vian, 2002/03/22
  - [linux-help] Re: ipchains question, Benjamin Bunck, 2002/03/22
    - [linux-help] Re: ipchains question, Jeff Vian, 2002/03/25
    - [linux-help] Re: ipchains question, Benjamin Bunck, 2002/03/25
    - [linux-help] Re: ipchains question, Jeff Vian, 2002/03/26
    - [linux-help] Re: ipchains question, Benjamin Bunck <=
    - [linux-help] Re: ipchains question, Benjamin Bunck, 2002/03/27
    - [linux-help] Re: A meeting place to have activities, Anne McCadden, 2002/03/31

Prev by Date: [linux-help] Re: ipchains question
Next by Date: [linux-help] Re: ipchains question
Previous by thread: [linux-help] Re: ipchains question
Next by thread: [linux-help] Re: ipchains question
Index(es):
- Date
- Thread