Re: A Question On Ipchains Input Rules

From: NeoSadist (
Date: 12/25/03

  • Next message: NeoSadist: "Re: Security through wide system use?"
    Date: Thu, 25 Dec 2003 09:43:39 -0700

    Thomas Dineen wrote:

    > Gentlepeople:
    > I am having a strange difficulty with ipchains on
    > RedHat 7.2. The forwarding rules shown below work great
    > when used stand alone without the input rules. The
    > performance of the forwarding rules seems to match that
    > described in the documentation and also seems intuitive.
    > However when included in the script the input rules
    > seem to block ALL traffic in a most unintuitive manor.
    > My plan was to block all traffic except that specifically
    > designated with the input and forwarding entries.
    > What am I doing wrong?
    > Dose any one have a working firewall script or mini
    > example that thay can share with us?
    > What am I doing wrong?
    > Happy Holidays
    > Thomas Dineen
    > #
    > # Dineen Consulting Firewall.
    > #
    > # Define Variables.
    > DNSA=""
    > DNSB=""
    > #
    > # Input Rules:
    > #
    > # Start With DENY All.
    > /sbin/ipchains -F input
    > /sbin/ipchains -P input DENY

    I'd say that portion is your problem. First, yes you should upgrade
    kernels, and use iptables, but that's not really the problem. Second, it
    makes a policy on INPUT string for deny, after the firewall is flushed. It
    should do the policy (-P INPUT DENY) FIRST, then flush the rules (-F
    INPUT). Here's what I recommend:

    #Start With DENY All
    /sbin/ipchains -P INPUT DENY
    /sbin/ipchains -P OUTPUT DENY
    /sbin/ipchains -F INPUT
    /sbin/ipchains -F OUTPUT

    However, I prefer IPTables, so this is how it would look in IPTables:

    # Set Default Policy to DROP
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP

    # Flush Rules
    iptables -F
    iptables -X
    iptables -Z

    I prefer DROP over DENY, because DENY will transmit an RST packet back to
    the source telling it that it is not allowed to have that port, hence the
    port will appear closed. DROP, on the other hand, will not transmit an RST
    packet back, therefore the port will appear "stealthed". BTW, the funny
    thing about the whole "stealthed" port thing is that according to the
    TCP/IP standards, stealthed ports shouldn't exist: all machines should
    transmit an RST packet back to the source telling it to try a different
    port. I still use DROP on mine though.

    Reisner's Rule of Conceptual Inertia:
            If you think big enough, you'll never have to do it.

  • Next message: NeoSadist: "Re: Security through wide system use?"

    Relevant Pages

    • Re: IPTABLES configuration [help]
      ... You'll need port 20 also, unless you want to use FTP without the data transfer ... I really want to learn iptables better. ... Default policy: Deny. ... FORWARD table will have no rules beyond the default policy. ...
    • RE: redhat-list Digest, Vol 4, Issue 38
      ... Re: Iptables: port 22 open only for my IP ... Windows Services for Unix 3.5 ... It does absolutely nothing if you have a rampant application on your Windows box that opens a port to the outside world. ...
    • Firewall Rules Summary
      ... Subject: Firewall Rules Summary ... This script is provided "as is" with no implied warranty. ... this came from various howtos and articles on iptables that existed around ... #specific port denies>1024 tcp ...
    • Re: Linux IPTables tutorial pdfs and plain text available.
      ... What you are referring to here are CHAINS. ... create as a user-defined chain in my iptables scripts to reject traffic ... need to allow port 20/tcp only if you're using active FTP. ... This is actually not a bash script, ...
    • Re: Help Needed: My RHEL5 box suddenly stopped accepting e-mails
      ... Here is the output of the 'iptables status' ... try telnetting to port 25 from off-host again. ... If you get the sendmail herald, ... until you get a "Connection refused" response. ...