A Question On Ipchains Input Rules

• Previous message: Tim Haynes: "Re: Port 135 Probes Continue"
• Next in thread: Newsbox: "Re: A Question On Ipchains Input Rules"
• Reply: Newsbox: "Re: A Question On Ipchains Input Rules"
• Reply: NeoSadist: "Re: A Question On Ipchains Input Rules"
• Reply: Juha Laiho: "Re: A Question On Ipchains Input Rules"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 25 Dec 2003 00:08:25 GMT

Gentlepeople:

    I am having a strange difficulty with ipchains on
RedHat 7.2. The forwarding rules shown below work great
when used stand alone without the input rules. The
performance of the forwarding rules seems to match that
described in the documentation and also seems intuitive.

     However when included in the script the input rules
seem to block ALL traffic in a most unintuitive manor.
My plan was to block all traffic except that specifically
designated with the input and forwarding entries.

    What am I doing wrong?

    Dose any one have a working firewall script or mini
example that thay can share with us?

    What am I doing wrong?

Happy Holidays
Thomas Dineen
tdineen@ix.netcom.com

#
# Dineen Consulting Firewall.
#

# Define Variables.
DNSA="204.127.199.8"
DNSB="63.240.76.198"

#
# Input Rules:
#

# Start With DENY All.
/sbin/ipchains -F input
/sbin/ipchains -P input DENY

# Allow input from local addresses.
/sbin/ipchains -A input -s 128.0.0.0/16 -d 128.0.0.0/16 -j ACCEPT
/sbin/ipchains -A input -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT

# Allow ICMP input.
/sbin/ipchains -A input -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

# Allow Comcast DNS Server A Input.
/sbin/ipchains -A input -s $DNSA -d 0.0.0.0/0 -j ACCEPT
/sbin/ipchains -A input -s 128.0.0.0/16 -d $DNSA -j ACCEPT

# Allow Comcast DNS Server B Input.
/sbin/ipchains -A input -p UDP -s $DNSB -d 0.0.0.0/0 -j ACCEPT
/sbin/ipchains -A input -p UDP -s 128.0.0.0/16 -d $DNSB -j ACCEPT

# Allow HTTP Input.
/sbin/ipchains -A input -s 128.0.0.0/16 -d 0.0.0.0/0 www -j ACCEPT
/sbin/ipchains -A input -s 128.0.0.0/16 -d 0.0.0.0/0 www -j ACCEPT

# Allow HTTPS Input.
/sbin/ipchains -A input -p UDP -s 128.0.0.0/16 -d 0.0.0.0/0 443 -j ACCEPT
/sbin/ipchains -A input -p TCP -s 128.0.0.0/16 -d 0.0.0.0/0 443 -j ACCEPT

# Allow FTP Input.
/sbin/ipchains -A input -p UDP -s 128.0.0.0/16 -d 0.0.0.0/0 ftp -j ACCEPT
/sbin/ipchains -A input -p TCP -s 128.0.0.0/16 -d 0.0.0.0/0 ftp -j ACCEPT

# Allow SMTP Input.
/sbin/ipchains -A input -p UDP -s 128.0.0.0/16 -d 0.0.0.0/0 smtp -j ACCEPT
/sbin/ipchains -A input -p TCP -s 128.0.0.0/16 -d 0.0.0.0/0 smtp -j ACCEPT

# Allow POP-3 Input.
/sbin/ipchains -A input -p UDP -s 128.0.0.0/16 -d 0.0.0.0/0 pop-3 -j ACCEPT
/sbin/ipchains -A input -p TCP -s 128.0.0.0/16 -d 0.0.0.0/0 pop-3 -j ACCEPT

#
# Forwarding Rules:
#

# Start With DENY All.
/sbin/ipchains -F forward
/sbin/ipchains -P forward DENY

# Forward Internal To Internal Traffic without masquerading.
/sbin/ipchains -A forward -s 128.0.0.0/24 -d 128.0.1.0/24 -j ACCEPT
/sbin/ipchains -A forward -d 128.0.0.0/24 -s 128.0.1.0/24 -j ACCEPT

# Masquerading To Cable Modem on Port eth0.

# Allow ICMP Forwarding.
/sbin/ipchains -A forward -i eth0 -p icmp -s 128.0.0.0/16 -d 0.0.0.0/0
-j MASQ

# Allow Comcast DNS Server A Forwarding.
/sbin/ipchains -A forward -i eth0 -p UDP -s $DNSA -d 0.0.0.0/0 -j MASQ
/sbin/ipchains -A forward -i eth0 -p UDP -s 128.0.0.0/16 -d $DNSA -j MASQ

# Allow Comcast DNS Server B Forwarding.
/sbin/ipchains -A forward -i eth0 -p UDP -s $DNSB -d 0.0.0.0/0 -j MASQ
/sbin/ipchains -A forward -i eth0 -p UDP -s 128.0.0.0/16 -d $DNSB -j MASQ

# Allow HTTP Forwarding.
/sbin/ipchains -A forward -i eth0 -p UDP -s 128.0.0.0/16 -d 0.0.0.0/0
www -j MASQ
/sbin/ipchains -A forward -i eth0 -p TCP -s 128.0.0.0/16 -d 0.0.0.0/0
www -j MASQ

# Allow HTTPS Forwarding.
/sbin/ipchains -A forward -i eth0 -p UDP -s 128.0.0.0/16 -d 0.0.0.0/0
443 -j MASQ
/sbin/ipchains -A forward -i eth0 -p TCP -s 128.0.0.0/16 -d 0.0.0.0/0
443 -j MASQ

# Allow FTP Forwarding.
/sbin/ipchains -A forward -i eth0 -p UDP -s 128.0.0.0/16 -d 0.0.0.0/0
ftp -j MASQ
/sbin/ipchains -A forward -i eth0 -p TCP -s 128.0.0.0/16 -d 0.0.0.0/0
ftp -j MASQ

# Allow SMTP Forwarding.
/sbin/ipchains -A forward -i eth0 -p UDP -s 128.0.0.0/16 -d 0.0.0.0/0
smtp -j MASQ
/sbin/ipchains -A forward -i eth0 -p TCP -s 128.0.0.0/16 -d 0.0.0.0/0
smtp -j MASQ

# Allow POP-3 Forwarding.
/sbin/ipchains -A forward -i eth0 -p UDP -s 128.0.0.0/16 -d 0.0.0.0/0
pop-3 -j MASQ
/sbin/ipchains -A forward -i eth0 -p TCP -s 128.0.0.0/16 -d 0.0.0.0/0
pop-3 -j MASQ

• Previous message: Tim Haynes: "Re: Port 135 Probes Continue"
• Next in thread: Newsbox: "Re: A Question On Ipchains Input Rules"
• Reply: Newsbox: "Re: A Question On Ipchains Input Rules"
• Reply: NeoSadist: "Re: A Question On Ipchains Input Rules"
• Reply: Juha Laiho: "Re: A Question On Ipchains Input Rules"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]