Re: A Question On Ipchains Input Rules
From: NeoSadist (neosad1st_at_charter.net)
Date: 12/25/03
- Previous message: David: "Re: Backup media; comments would be appreciated."
- In reply to: Thomas Dineen: "A Question On Ipchains Input Rules"
- Next in thread: Juha Laiho: "Re: A Question On Ipchains Input Rules"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Dec 2003 09:43:39 -0700
Thomas Dineen wrote:
> Gentlepeople:
>
> I am having a strange difficulty with ipchains on
> RedHat 7.2. The forwarding rules shown below work great
> when used stand alone without the input rules. The
> performance of the forwarding rules seems to match that
> described in the documentation and also seems intuitive.
>
> However when included in the script the input rules
> seem to block ALL traffic in a most unintuitive manor.
> My plan was to block all traffic except that specifically
> designated with the input and forwarding entries.
>
> What am I doing wrong?
>
> Dose any one have a working firewall script or mini
> example that thay can share with us?
>
> What am I doing wrong?
>
> Happy Holidays
> Thomas Dineen
> tdineen@ix.netcom.com
>
> #
> # Dineen Consulting Firewall.
> #
>
> # Define Variables.
> DNSA="204.127.199.8"
> DNSB="63.240.76.198"
>
> #
> # Input Rules:
> #
>
> # Start With DENY All.
> /sbin/ipchains -F input
> /sbin/ipchains -P input DENY
I'd say that portion is your problem. First, yes you should upgrade
kernels, and use iptables, but that's not really the problem. Second, it
makes a policy on INPUT string for deny, after the firewall is flushed. It
should do the policy (-P INPUT DENY) FIRST, then flush the rules (-F
INPUT). Here's what I recommend:
#Start With DENY All
/sbin/ipchains -P INPUT DENY
/sbin/ipchains -P OUTPUT DENY
/sbin/ipchains -F INPUT
/sbin/ipchains -F OUTPUT
However, I prefer IPTables, so this is how it would look in IPTables:
# Set Default Policy to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Flush Rules
iptables -F
iptables -X
iptables -Z
I prefer DROP over DENY, because DENY will transmit an RST packet back to
the source telling it that it is not allowed to have that port, hence the
port will appear closed. DROP, on the other hand, will not transmit an RST
packet back, therefore the port will appear "stealthed". BTW, the funny
thing about the whole "stealthed" port thing is that according to the
TCP/IP standards, stealthed ports shouldn't exist: all machines should
transmit an RST packet back to the source telling it to try a different
port. I still use DROP on mine though.
--
Reisner's Rule of Conceptual Inertia:
If you think big enough, you'll never have to do it.
- Previous message: David: "Re: Backup media; comments would be appreciated."
- In reply to: Thomas Dineen: "A Question On Ipchains Input Rules"
- Next in thread: Juha Laiho: "Re: A Question On Ipchains Input Rules"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
