Re: IPCHAINS

From: Duncan (drack_at_mweb.co.zw)
Date: 07/21/04

  • Next message: Charles: "[Help] Strange Linux server no response problem, fixed by hitting ENTER at console!" 
    To: "Pete Nesbitt" <pete@linux1.ca>, "General Red Hat Linux discussion list" <redhat-list@redhat.com>
Date: Wed, 21 Jul 2004 08:59:03 +0200

    ----- Original Message -----
    From: "Pete Nesbitt" <pete@linux1.ca>
    To: "Duncan" <drack@mweb.co.zw>; "General Red Hat Linux discussion list"
    <redhat-list@redhat.com>
    Sent: Wednesday, July 21, 2004 6:59 AM
    Subject: Re: IPCHAINS

    > On July 19, 2004 11:23 pm, Duncan wrote:
    > > > On July 19, 2004 12:00 am, Duncan wrote:
    > > > > Still this simple firewall is not allowing traffic from me ISP and
    the
    > > > > CLIENT but traffic on the LAN is flowing , all i want to do is
    allowa
    > > > > traffic from me to the client , the client has squid so there is no
    > > > > need for masquarading .Hw do i do that with tis firewall.
    > > > >
    > > > > # Setting default to deny all
    > > > > /sbin/ipchains -P input DENY
    > > > > /sbin/ipchains -P output DENY
    > > > > /sbin/ipchains -P forward DENY
    > > > >
    > > > >
    > > > > #allowing localhost
    > > > > /sbin/ipchains -A input -j ACCEPT -p all -s localhost -d
    localhost
    > > > > -i
    > >
    > > lo
    > >
    > > > > /sbin/ipchains -A output -j ACCEPT -p all -s localhost -d
    localhost
    > > > > -i
    > >
    > > lo
    > >
    > > > > #Deny packets from internet claiming to be from localhost and log
    > > > > /sbin/ipchains -A input -j REJECT -p all -s localhost -i ppp0 -l
    > > > >
    > > > > #Deny packets that mimic internal IPs and log
    > > > > /sbin/ipchains -A input -j REJECT -p all -s clientLAN/24 -i
    ppp0 -l
    > > > >
    > > > > #Allow packets from ISP
    > > > > /sbin/ipchains -A input -j ACCEPT -p all -s ISPrange/24 -d
    > > > > ientLAN/24 -i ppp0
    > > > >
    > > > > #Allow packets from LAN
    > > > > /sbin/ipchains -A output -j ACCEPT -p all -s client/24 -d
    > >
    > > ISPrange/24 -i
    > >
    > > > > ppp0
    > > > >
    > > > > #Allow outgoing packets thru internal interface
    > > > > /sbin/ipchains -A input -j ACCEPT -p all -s clientLAN/24 -i
    eth0
    > > > > /sbin/ipchains -A output -j ACCEPT -p all -s clientLAN/24 -i
    eth0
    > > > >
    > > > > > ----- Original Message -----
    > > > > > From: "Duncan" <drack@mweb.co.zw>
    > > > > > To: "General Red Hat Linux discussion list"
    <redhat-list@redhat.com>
    > > > > > Sent: Friday, July 16, 2004 9:10 AM
    > > > > > Subject: IPCHAINS
    > > > > >
    > > > > >
    > > > > > would the following ipchains stop tcp connections from anyone else
    > >
    > > other
    > >
    > > > > > than iprange , the ips in LAN 195.167.2.0/24
    > > > > >
    > > > > > /sbin/ipchains -F
    > > > > > /sbin/ipchains -P input -p tcp DENY
    > > > > > /sbin/ipchains -A input -p tcp -s iprange/24 -d
    > >
    > > 5.167.2.0/24 -j
    > >
    > > > > > ACCEPT
    > > > > > /sbin/ipchains -A input -p udp -s iprange/24 -d
    > >
    > > 5.167.2.0/24 -j
    > >
    > > > > > ACCEPT
    > > > > > /sbin/ipchains -A input -p icmp -s iprange/24 -d
    > >
    > > 5.167.2.0/24 -j
    > >
    > > > > > ACCEPT
    > > > > >
    > > > > > Please advice
    > > > > >
    > > > > > ---------------------------
    > > > > > Duncan Rack
    > >
    > > ----- Original Message -----
    > > From: "Pete Nesbitt" <pete@linux1.ca>
    > > To: "Duncan" <drack@mweb.co.zw>; "General Red Hat Linux discussion list"
    > > <redhat-list@redhat.com>
    > > Sent: Tuesday, July 20, 2004 3:07 AM
    > > Subject: Re: IPCHAINS
    > >
    > > > Hi Duncan,
    > > > I'm not sure I understand the whole layout, but if you're using both
    ppp
    > >
    > > and
    > >
    > > > Ethernet, you will also need to add FORWARD rules to connect traffic
    > > > going between them (if needed). IPchains was a bit more involved than
    > > > IPtables
    > >
    > > is
    > >
    > > > because instead of just having a forward rule for routed packets,
    > > > IPchains requires you set an input->forward->output set of rules.
    > > >
    > > > You may be best to post the exact senario (who is on what interface
    and
    > >
    > > who
    > >
    > > > they need to talk to), as well as the whole rules script.
    > > >
    > > > Is there a reason you're using ipchains and not iptables?
    > > > --
    > > > Pete Nesbitt, rhce
    > >
    > > Hi Pete,
    > >
    > > Thanks , the box has RH6.2 , i gues i am kinda of more familiar with
    > > ipchains. The whole idea is to allow the LAN to communicate thru the
    linux
    > > box with the ISP thru any ports and vice versa and then disallow traffic
    > > from ANY outsider .
    > > 1) The linux box already has squid and wat i dont know now is if i put
    > > forward rules , wont it mean there will be IP masquarading i.e every
    > > machine will be able to browse and do anything and hence complicate the
    > > firewall , more rules ,port specifications etc...
    > > 2) is there anything amiss with the firewall though? its working as far
    as
    > > the LAN but when it comes to communicating with the ISP ....NOTHING !!!!
    > >
    > > Please help!!!
    >
    >
    > Hi Duncan,
    > IP Masquarading is separate from the 'forward' routing rules. As long as
    your
    > internal networks IP's are valid IP's you can use on the INternet (i.e.
    you
    > own) and your ISP routes them for you, you don't need masqarading. There
    is
    > no difference on the LAN side of the firewall, as right now all machines
    > could browse the internet if forwarding in in place. So, no I don't think
    it
    > would complicate your firewall.
    >
    > So I see the network as this:
    >
    > LAN <ethernet> FW <ppp> ISP <-> Internet
    >
    > As long as the LAN boxes have the fw as default gateways, and the fw has
    the
    > PPP connection to the ISP as it's dfault gateway, you rules should be
    fine.
    >
    > You'll need to walk each connection thru the fw using an 'input, forward,
    > output' path. Your basic rules look like they will work once the 'paths'
    are
    > complete. Does your ISP range need to be allowed to initiate a session or
    is
    > that so you can get to them for proxy or something, if so you should set
    them
    > up to not allow syn packets inbound to your LAN. You may also want to add
    ssh
    > from your workstaion to the fw.
    >
    > Hope that helps.
    > --
    > Pete Nesbitt, rhce

    Hi Pete,

    I guess i just have to try wat you are saying , it really does make sense .
    The thing is i just wanted the firewall to be so simpe that it would not
    involve much modifications in the future should someone want some changes.

    Thanks a million .Someone had said if u noticed that forwarding is not
    necessary .Thanks 

    -- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
  • Next message: Charles: "[Help] Strange Linux server no response problem, fixed by hitting ENTER at console!"

    Relevant Pages

    • Rh 9 Modem Connection Problem
      ... I have a problem with connecting to my ISP with RH 9 and it is driving me ... Network tool, I keep getting the error messages "Can not activate network ... adapter, add modem adapter, did the whole lot again by deleting the modem ... Feb 29 07:06:02 localhost wvdial: Initializing modem. ...
      (linux.redhat.misc)
    • Rh 9 Modem Connection Problem
      ... I have a problem with connecting to my ISP with RH 9 and it is driving me ... Network tool, I keep getting the error messages "Can not activate network ... adapter, add modem adapter, did the whole lot again by deleting the modem ... Feb 29 07:06:02 localhost wvdial: Initializing modem. ...
      (linux.redhat.install)
    • Re: ADSL -> Actiontec 1524 -> Eth-switch -> PCs
      ... It connects to the ISP using PPPoA and DHCP. ... When both computers were connected directly to the Actiontec, ... > they both have a fixed internet address, and that address is the LAN ...
      (comp.security.firewalls)
    • Re: Routing with multiple IPs
      ... Do you have two _physical_ links or just 2 IPs given out by your ISP? ... > plugged on this hub too. ... > webserver (that will be on the LAN, ... > ip, on the box the ping comes through the eth1 interface, when it ...
      (comp.os.linux.networking)
    • Re: Connecting ISP problem
      ... Still can't connect ISP. ... > set authname YOURLOGINNAME # Replace with your ISP account IP ... > set authkey YOURPASSWORD # Replace with your ISP account ... Feb 26 02:00:26 localhost newsyslog: logfile turned over due to ...
      (freebsd-questions)