----- Original Message ----- From: "Pete Nesbitt" <pete@xxxxxxxxx> To: "General Red Hat Linux discussion list" <redhat-list@xxxxxxxxxx> Sent: Wednesday, July 21, 2004 3:05 PM Subject: Re: IPCHAINS > On July 20, 2004 11:59 pm, Duncan wrote: > > ----- Original Message ----- > > From: "Pete Nesbitt" <pete@xxxxxxxxx> > > To: "Duncan" <drack@xxxxxxxxxx>; "General Red Hat Linux discussion list" > > <redhat-list@xxxxxxxxxx> > > Sent: Wednesday, July 21, 2004 6:59 AM > > Subject: Re: IPCHAINS > > > > > On July 19, 2004 11:23 pm, Duncan wrote: > > > > > On July 19, 2004 12:00 am, Duncan wrote: > > > > > > Still this simple firewall is not allowing traffic from me ISP and > > > > the > > > > > > > > CLIENT but traffic on the LAN is flowing , all i want to do is > > > > allowa > > > > > > > > traffic from me to the client , the client has squid so there is no > > > > > > need for masquarading .Hw do i do that with tis firewall. > > > > > > > > > > > > # Setting default to deny all > > > > > > /sbin/ipchains -P input DENY > > > > > > /sbin/ipchains -P output DENY > > > > > > /sbin/ipchains -P forward DENY > > > > > > > > > > > > > > > > > > #allowing localhost > > > > > > /sbin/ipchains -A input -j ACCEPT -p all -s localhost -d > > > > localhost > > > > > > > > -i > > > > > > > > lo > > > > > > > > > > /sbin/ipchains -A output -j ACCEPT -p all -s localhost -d > > > > localhost > > > > > > > > -i > > > > > > > > lo > > > > > > > > > > #Deny packets from internet claiming to be from localhost and log > > > > > > /sbin/ipchains -A input -j REJECT -p all -s localhost -i ppp0 > > > > > > -l > > > > > > > > > > > > #Deny packets that mimic internal IPs and log > > > > > > /sbin/ipchains -A input -j REJECT -p all -s clientLAN/24 -i > > > > ppp0 -l > > > > > > > > #Allow packets from ISP > > > > > > /sbin/ipchains -A input -j ACCEPT -p all -s ISPrange/24 -d > > > > > > ientLAN/24 -i ppp0 > > > > > > > > > > > > #Allow packets from LAN > > > > > > /sbin/ipchains -A output -j ACCEPT -p all -s client/24 -d > > > > > > > > ISPrange/24 -i > > > > > > > > > > ppp0 > > > > > > > > > > > > #Allow outgoing packets thru internal interface > > > > > > /sbin/ipchains -A input -j ACCEPT -p all -s clientLAN/24 -i > > > > eth0 > > > > > > > > /sbin/ipchains -A output -j ACCEPT -p all -s clientLAN/24 -i > > > > eth0 > > > > > > > > > ----- Original Message ----- > > > > > > > From: "Duncan" <drack@xxxxxxxxxx> > > > > > > > To: "General Red Hat Linux discussion list" > > > > <redhat-list@xxxxxxxxxx> > > > > > > > > > Sent: Friday, July 16, 2004 9:10 AM > > > > > > > Subject: IPCHAINS > > > > > > > > > > > > > > > > > > > > > would the following ipchains stop tcp connections from anyone > > > > > > > else > > > > > > > > other > > > > > > > > > > > than iprange , the ips in LAN 195.167.2.0/24 > > > > > > > > > > > > > > /sbin/ipchains -F > > > > > > > /sbin/ipchains -P input -p tcp DENY > > > > > > > /sbin/ipchains -A input -p tcp -s iprange/24 -d > > > > > > > > 5.167.2.0/24 -j > > > > > > > > > > > ACCEPT > > > > > > > /sbin/ipchains -A input -p udp -s iprange/24 -d > > > > > > > > 5.167.2.0/24 -j > > > > > > > > > > > ACCEPT > > > > > > > /sbin/ipchains -A input -p icmp -s iprange/24 -d > > > > > > > > 5.167.2.0/24 -j > > > > > > > > > > > ACCEPT > > > > > > > > > > > > > > Please advice > > > > > > > > > > > > > > --------------------------- > > > > > > > Duncan Rack > > > > > > > > ----- Original Message ----- > > > > From: "Pete Nesbitt" <pete@xxxxxxxxx> > > > > To: "Duncan" <drack@xxxxxxxxxx>; "General Red Hat Linux discussion > > > > list" <redhat-list@xxxxxxxxxx> > > > > Sent: Tuesday, July 20, 2004 3:07 AM > > > > Subject: Re: IPCHAINS > > > > > > > > > Hi Duncan, > > > > > I'm not sure I understand the whole layout, but if you're using both > > > > ppp > > > > > > and > > > > > > > > > Ethernet, you will also need to add FORWARD rules to connect traffic > > > > > going between them (if needed). IPchains was a bit more involved than > > > > > IPtables > > > > > > > > is > > > > > > > > > because instead of just having a forward rule for routed packets, > > > > > IPchains requires you set an input->forward->output set of rules. > > > > > > > > > > You may be best to post the exact senario (who is on what interface > > > > and > > > > > > who > > > > > > > > > they need to talk to), as well as the whole rules script. > > > > > > > > > > Is there a reason you're using ipchains and not iptables? > > > > > -- > > > > > Pete Nesbitt, rhce > > > > > > > > Hi Pete, > > > > > > > > Thanks , the box has RH6.2 , i gues i am kinda of more familiar with > > > > ipchains. The whole idea is to allow the LAN to communicate thru the > > > > linux > > > > > > box with the ISP thru any ports and vice versa and then disallow > > > > traffic from ANY outsider . > > > > 1) The linux box already has squid and wat i dont know now is if i put > > > > forward rules , wont it mean there will be IP masquarading i.e every > > > > machine will be able to browse and do anything and hence complicate the > > > > firewall , more rules ,port specifications etc... > > > > 2) is there anything amiss with the firewall though? its working as > > > > far > > > > as > > > > > > the LAN but when it comes to communicating with the ISP ....NOTHING > > > > !!!! > > > > > > > > Please help!!! > > > > > > Hi Duncan, > > > IP Masquarading is separate from the 'forward' routing rules. As long as > > > > your > > > > > internal networks IP's are valid IP's you can use on the INternet (i.e. > > > > you > > > > > own) and your ISP routes them for you, you don't need masqarading. There > > > > is > > > > > no difference on the LAN side of the firewall, as right now all machines > > > could browse the internet if forwarding in in place. So, no I don't think > > > > it > > > > > would complicate your firewall. > > > > > > So I see the network as this: > > > > > > LAN <ethernet> FW <ppp> ISP <-> Internet > > > > > > As long as the LAN boxes have the fw as default gateways, and the fw has > > > > the > > > > > PPP connection to the ISP as it's dfault gateway, you rules should be > > > > fine. > > > > > You'll need to walk each connection thru the fw using an 'input, forward, > > > output' path. Your basic rules look like they will work once the 'paths' > > > > are > > > > > complete. Does your ISP range need to be allowed to initiate a session or > > > > is > > > > > that so you can get to them for proxy or something, if so you should set > > > > them > > > > > up to not allow syn packets inbound to your LAN. You may also want to add > > > > ssh > > > > > from your workstaion to the fw. > > > > > > Hope that helps. > > > -- > > > Pete Nesbitt, rhce > > > > Hi Pete, > > > > I guess i just have to try wat you are saying , it really does make sense > > . The thing is i just wanted the firewall to be so simpe that it would not > > involve much modifications in the future should someone want some changes. > > > > Thanks a million .Someone had said if u noticed that forwarding is not > > necessary .Thanks > > Hi Duncan, > You will also need to activate forwarding by puting the value '1' in > "/proc/sys/net/ipv4//ip_forward" > This can be done in /etc/syctl.conf, there is probably a line like: > net.ipv4.ip_forward = 0, so make it =1. > If 6.2 dodn't have that, you can add to the top of your fw rules: > 'echo "1" > /proc/sys/net/ipv4//ip_forward' > > If IPtables uses less complicated rules, you really should have a look at it > at www.netfilter.org > -- > Pete Nesbitt, rhce > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > Hi , Thanks , i am just looking up the box as well as the website .i guess u are right doesnt do me good sticking to IPCHAINS . Rgds Duncan -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
