I rearranged my ipchains rules, and of course I've forgot something.
Just about everything works, but I can't do nameresolution on external
names; internal nameresolution works here. I'm running a caching
nameserver (bind-8.2.2_P3-1) in forwarding mode on a masqueraded net.
I start by disallowing anything, then setup input rules, forward, TOS
stuff and lastly masquerading.
The only udp rules I have are for ftp and dns; the latter shown here:
ipchains -A input -p udp -s 0/0 domain -d 0/0 56000:65096 -j ACCEPT
--log
ipchains -A input -p tcp -s 0/0 domain -d 0/0 56000:65096 -j ACCEPT
--log
To be able to do internal dns-lookups, I needed:
ipchains -A input -p udp -j ACCEPT
After the dns rules, but external dns seems broken, and I can't see how.
Someone told me the dns-tcp rule are needed only for master-slave dns
zonetransfers; I put it in because of a remark about dns-replies larger
than 512 bytes in IPCHAINS-HOWTO.
I was also told that I need to setup listener-ports _before_ starting
named, which I tried; just didn't change the situation.
Actually, the only way I can even send this mail is to add an INPUT
ACCEPT anything rule at the end of the input chain. Clearly unwanted ;-
ipchains -L -v (slightly rearranged, hope it'll ease mailreading),
(The abovementioned INPUT ACCEPT rule are _not_ present in this
listning):
Chain input (policy DENY: 271 packets, 32854 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source
destination ports
0 0 ACCEPT all ------ 0xFF 0x00 local anywhere anywhere
n/a
0 0 ACCEPT all ------ 0xFF 0x00 eth0 anywhere anywhere
n/a
0 0 ACCEPT tcp -y---- 0xFF 0x00 any anywhere anywhere
any -> any
0 0 REJECT tcp -y--l- 0xFF 0x00 any anywhere
anywhere any -> auth
0 0 ACCEPT tcp -y--l- 0xFF 0x00 any anywhere
anywhere any -> ssh
0 0 ACCEPT tcp -y--l- 0xFF 0x00 any anywhere
anywhere any -> https
0 0 ACCEPT tcp ------ 0xFF 0x00 any anywhere
anywhere any -> www
0 0 ACCEPT tcp -y---- 0xFF 0x00 any anywhere
anywhere ftp-data -> 56000:65096
0 0 ACCEPT tcp ------ 0xFF 0x00 any anywhere
anywhere domain -> 56000:65096
1 148 ACCEPT udp ------ 0xFF 0x00 any anywhere
anywhere domain -> 56000:65096
1 70 ACCEPT udp ----l- 0xFF 0x00 any anywhere
anywhere any -> any
0 0 DENY icmp ----l- 0xFF 0x00 any anywhere
anywhere timestamp-request
0 0 DENY icmp ----l- 0xFF 0x00 any anywhere
anywhere address-mask-request
0 0 DENY icmp ----l- 0xFF 0x00 any anywhere
anywhere redirect
0 0 DENY icmp ----l- 0xFF 0x00 any anywhere
anywhere router-advertisement
2 186 ACCEPT icmp ------ 0xFF 0x00 any anywhere
anywhere any -> any
Chain forward (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source
destination ports
0 0 DENY tcp ------ 0xFF 0x00 ppp+ anywhere
anywhere netbios-ns:netbios-ssn -> any
0 0 DENY udp ------ 0xFF 0x00 ppp+ anywhere
anywhere netbios-ns:netbios-ssn -> any
0 0 MASQ all ------ 0xFF 0x00 any 192.168.1.0/24
anywhere n/a
Chain output (policy ACCEPT: 12082 packets, 2167510 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source
destination ports
0 0 - tcp ------ 0x01 0x10 ppp+ anywhere
anywhere any -> www
0 0 - tcp ------ 0x01 0x10 ppp+ anywhere
anywhere any -> telnet
0 0 - tcp ------ 0x01 0x10 ppp+ anywhere
anywhere any -> ssh
0 0 - tcp ------ 0x01 0x02 ppp+ anywhere
anywhere any -> ftp-data
0 0 - tcp ------ 0x01 0x02 ppp+ anywhere
anywhere any -> nntp
0 0 - tcp ------ 0x01 0x02 ppp+ anywhere
anywhere any -> pop-3
-----------
The output chain listnings are not a result of rules, but merely TOS
manipulations.
--
Regards,
Mogens Valentin
Networking - Security - Programming
Linux configuration and troubleshooting
http://www.danbbs.dk/~monz - monz@danbbs.dk
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
