Re: IPCHAINS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



----- Original Message ----- 
From: "Pete Nesbitt" <pete@xxxxxxxxx>
To: "Duncan" <drack@xxxxxxxxxx>; "General Red Hat Linux discussion list"
<redhat-list@xxxxxxxxxx>
Sent: Wednesday, July 21, 2004 6:59 AM
Subject: Re: IPCHAINS


> On July 19, 2004 11:23 pm, Duncan wrote:
> > > On July 19, 2004 12:00 am, Duncan wrote:
> > > > Still this simple firewall is not allowing traffic from me ISP and
the
> > > > CLIENT but traffic on the LAN is flowing , all i want to do is
allowa
> > > > traffic from me to the client , the client has squid so there is no
> > > > need for masquarading .Hw do i do that with tis firewall.
> > > >
> > > > # Setting default to deny all
> > > >   /sbin/ipchains -P input   DENY
> > > >   /sbin/ipchains -P output  DENY
> > > >   /sbin/ipchains -P forward DENY
> > > >
> > > >
> > > > #allowing localhost
> > > >   /sbin/ipchains -A input  -j ACCEPT -p all -s localhost -d
localhost
> > > > -i
> >
> > lo
> >
> > > >   /sbin/ipchains -A output -j ACCEPT -p all -s localhost -d
localhost
> > > > -i
> >
> > lo
> >
> > > > #Deny packets from internet claiming to be from localhost and log
> > > >   /sbin/ipchains -A input  -j REJECT -p all -s localhost  -i ppp0 -l
> > > >
> > > > #Deny packets that mimic internal IPs and log
> > > >   /sbin/ipchains -A input -j REJECT -p all -s clientLAN/24 -i
ppp0 -l
> > > >
> > > > #Allow packets from ISP
> > > >   /sbin/ipchains -A input -j ACCEPT -p all -s ISPrange/24  -d
> > > > ientLAN/24   -i ppp0
> > > >
> > > > #Allow packets from LAN
> > > >   /sbin/ipchains -A output  -j ACCEPT -p all -s client/24 -d
> >
> > ISPrange/24 -i
> >
> > > > ppp0
> > > >
> > > > #Allow outgoing packets thru internal interface
> > > >    /sbin/ipchains -A input   -j ACCEPT -p all -s clientLAN/24 -i
eth0
> > > >    /sbin/ipchains -A output  -j ACCEPT -p all -s clientLAN/24 -i
eth0
> > > >
> > > > > ----- Original Message -----
> > > > > From: "Duncan" <drack@xxxxxxxxxx>
> > > > > To: "General Red Hat Linux discussion list"
<redhat-list@xxxxxxxxxx>
> > > > > Sent: Friday, July 16, 2004 9:10 AM
> > > > > Subject: IPCHAINS
> > > > >
> > > > >
> > > > > would the following ipchains stop tcp connections from anyone else
> >
> > other
> >
> > > > > than iprange , the ips in LAN 195.167.2.0/24
> > > > >
> > > > > /sbin/ipchains -F
> > > > > /sbin/ipchains -P input -p tcp DENY
> > > > > /sbin/ipchains -A input -p tcp   -s  iprange/24  -d
> >
> > 5.167.2.0/24   -j
> >
> > > > > ACCEPT
> > > > > /sbin/ipchains -A input -p udp   -s  iprange/24  -d
> >
> > 5.167.2.0/24   -j
> >
> > > > > ACCEPT
> > > > > /sbin/ipchains -A input -p icmp  -s  iprange/24  -d
> >
> > 5.167.2.0/24   -j
> >
> > > > > ACCEPT
> > > > >
> > > > > Please advice
> > > > >
> > > > > ---------------------------
> > > > > Duncan Rack
> >
> > ----- Original Message -----
> > From: "Pete Nesbitt" <pete@xxxxxxxxx>
> > To: "Duncan" <drack@xxxxxxxxxx>; "General Red Hat Linux discussion list"
> > <redhat-list@xxxxxxxxxx>
> > Sent: Tuesday, July 20, 2004 3:07 AM
> > Subject: Re: IPCHAINS
> >
> > > Hi Duncan,
> > > I'm not sure I understand the whole layout, but if you're using both
ppp
> >
> > and
> >
> > > Ethernet, you will also need to add FORWARD rules to connect traffic
> > > going between them (if needed). IPchains was a bit more involved than
> > > IPtables
> >
> > is
> >
> > > because instead of just having a forward rule for routed packets,
> > > IPchains requires you set an input->forward->output set of rules.
> > >
> > > You may be best to post the exact senario (who is on what interface
and
> >
> > who
> >
> > > they need to talk to), as well as the whole rules script.
> > >
> > > Is there a reason you're using ipchains and not iptables?
> > > --
> > > Pete Nesbitt, rhce
> >
> > Hi Pete,
> >
> > Thanks , the box has RH6.2 , i gues i am kinda of more familiar with
> > ipchains. The whole idea is to allow the LAN to communicate thru the
linux
> > box with the ISP thru any ports and vice versa and then disallow traffic
> > from ANY outsider .
> > 1) The linux box already has squid and wat i dont know now is  if i put
> > forward rules , wont it mean there will be IP masquarading i.e every
> > machine will be able to browse and do anything and hence complicate the
> > firewall , more rules ,port specifications etc...
> > 2) is there anything amiss with the firewall though? its working  as far
as
> > the LAN but when it comes to communicating with the ISP ....NOTHING !!!!
> >
> > Please help!!!
>
>
> Hi Duncan,
> IP Masquarading is separate from the 'forward' routing rules. As long as
your
> internal networks IP's are valid IP's you can use on the INternet (i.e.
you
> own) and your ISP routes them for you, you don't need masqarading. There
is
> no difference on the LAN side of the firewall, as right now all machines
> could browse the internet if forwarding in in place. So, no I don't think
it
> would complicate your firewall.
>
> So I see the network as this:
>
> LAN <ethernet> FW <ppp> ISP <-> Internet
>
> As long as the LAN boxes have the fw as default gateways, and the fw has
the
> PPP connection to the ISP as it's dfault gateway, you rules should be
fine.
>
> You'll need to walk each connection thru the fw using an 'input, forward,
> output' path. Your basic rules look like they will work once the 'paths'
are
> complete. Does your ISP range need to be allowed to initiate a session or
is
> that so you can get to them for proxy or something, if so you should set
them
> up to not allow syn packets inbound to your LAN. You may also want to add
ssh
> from your workstaion to the fw.
>
> Hope that helps.
> -- 
> Pete Nesbitt, rhce

Hi Pete,

I guess i just have to try wat you  are saying , it really does make sense .
The thing is i just wanted the firewall to be so simpe that it would not
involve much modifications in the future should someone want some changes.

Thanks a million .Someone had said if u noticed that forwarding is not
necessary .Thanks


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux