Re: A Question On Ipchains Input Rules

From: NeoSadist (
Date: 12/25/03

  • Next message: NeoSadist: "Re: Security through wide system use?"
    Date: Thu, 25 Dec 2003 09:43:39 -0700

    Thomas Dineen wrote:

    > Gentlepeople:
    > I am having a strange difficulty with ipchains on
    > RedHat 7.2. The forwarding rules shown below work great
    > when used stand alone without the input rules. The
    > performance of the forwarding rules seems to match that
    > described in the documentation and also seems intuitive.
    > However when included in the script the input rules
    > seem to block ALL traffic in a most unintuitive manor.
    > My plan was to block all traffic except that specifically
    > designated with the input and forwarding entries.
    > What am I doing wrong?
    > Dose any one have a working firewall script or mini
    > example that thay can share with us?
    > What am I doing wrong?
    > Happy Holidays
    > Thomas Dineen
    > #
    > # Dineen Consulting Firewall.
    > #
    > # Define Variables.
    > DNSA=""
    > DNSB=""
    > #
    > # Input Rules:
    > #
    > # Start With DENY All.
    > /sbin/ipchains -F input
    > /sbin/ipchains -P input DENY

    I'd say that portion is your problem. First, yes you should upgrade
    kernels, and use iptables, but that's not really the problem. Second, it
    makes a policy on INPUT string for deny, after the firewall is flushed. It
    should do the policy (-P INPUT DENY) FIRST, then flush the rules (-F
    INPUT). Here's what I recommend:

    #Start With DENY All
    /sbin/ipchains -P INPUT DENY
    /sbin/ipchains -P OUTPUT DENY
    /sbin/ipchains -F INPUT
    /sbin/ipchains -F OUTPUT

    However, I prefer IPTables, so this is how it would look in IPTables:

    # Set Default Policy to DROP
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP

    # Flush Rules
    iptables -F
    iptables -X
    iptables -Z

    I prefer DROP over DENY, because DENY will transmit an RST packet back to
    the source telling it that it is not allowed to have that port, hence the
    port will appear closed. DROP, on the other hand, will not transmit an RST
    packet back, therefore the port will appear "stealthed". BTW, the funny
    thing about the whole "stealthed" port thing is that according to the
    TCP/IP standards, stealthed ports shouldn't exist: all machines should
    transmit an RST packet back to the source telling it to try a different
    port. I still use DROP on mine though.

    Reisner's Rule of Conceptual Inertia:
            If you think big enough, you'll never have to do it.

  • Next message: NeoSadist: "Re: Security through wide system use?"