Re: A Question On Ipchains Input Rules

From: Juha Laiho (
Date: 12/25/03

Date: Thu, 25 Dec 2003 20:02:01 GMT

(cc'ed to Thomas -- but please keep future discussion in the newsgroup)

Thomas Dineen <> said:
> I am having a strange difficulty with ipchains on
>RedHat 7.2. The forwarding rules shown below work great
>when used stand alone without the input rules. The
>performance of the forwarding rules seems to match that
>described in the documentation and also seems intuitive.

If RH72 allows using iptables instead of ipchains, I heartily
recommend switching into iptables. Two reasons for this being
the statefulness of iptables (so, you have a generic rule allowing
return packets for any established connections, and f.ex. to allow
outbound SMTP sessions, you just allow outbound SMTP, and the
appropriate return packets will be allowed). Also, the model of IP
forwarding is more sane in iptables than it was in ipchains -
IIRC, in ipchains, if you wanted to allow a packet from outside
network to protected network, you had to allow it in input, output
and forward chains. With iptables, INPUT and OUTPUT are used only
for packets destined to (or originated from) the host itself, and
FORWARD is to be used for packets that only are routed through the

Some specific comments below related your script.

># Allow input from local addresses.
>/sbin/ipchains -A input -s -d -j ACCEPT
>/sbin/ipchains -A input -s -d -j ACCEPT

This (127.x) I'd allow by allowing traffic from the 'lo' interface.

># Allow ICMP input.
>/sbin/ipchains -A input -p icmp -s -d -j ACCEPT

Allowing all ICMP isn't necessarily good - though blocking all ICMP
is also bad. With 'iptables' this'd be easier (allow just "RELATED"
packets to allow ICMP that is related to currently active sessions).

># Allow Comcast DNS Server A Input.
>/sbin/ipchains -A input -s $DNSA -d -j ACCEPT
>/sbin/ipchains -A input -s -d $DNSA -j ACCEPT
># Allow Comcast DNS Server B Input.
>/sbin/ipchains -A input -p UDP -s $DNSB -d -j ACCEPT
>/sbin/ipchains -A input -p UDP -s -d $DNSB -j ACCEPT

Why having different rules for different DNS servers (so, allowing
all protocols for one, but only UDP for the other)? Also, some DNS
traffic may need TCP.

># Allow HTTP Input.
>/sbin/ipchains -A input -s -d www -j ACCEPT
>/sbin/ipchains -A input -s -d www -j ACCEPT

Two identical rules?

># Allow HTTPS Input.
>/sbin/ipchains -A input -p UDP -s -d 443 -j ACCEPT
>/sbin/ipchains -A input -p TCP -s -d 443 -j ACCEPT

HTTPS is pure TCP, so no need to allow UDP.

># Allow FTP Input.
>/sbin/ipchains -A input -p UDP -s -d ftp -j ACCEPT
>/sbin/ipchains -A input -p TCP -s -d ftp -j ACCEPT
># Allow SMTP Input.
>/sbin/ipchains -A input -p UDP -s -d smtp -j ACCEPT
>/sbin/ipchains -A input -p TCP -s -d smtp -j ACCEPT
># Allow POP-3 Input.
>/sbin/ipchains -A input -p UDP -s -d pop-3 -j ACCEPT
>/sbin/ipchains -A input -p TCP -s -d pop-3 -j ACCEPT

No UDP needed for FTP, SMTP or POP3, either.

># Forwarding Rules:

Not many additional comments on these.

Is it really so that you've been assigned the complete class B 128.0?
Or are you just using 128.0 address space by some kind of chance?
If you're just using 128.0, please switch to addresses that are
designated to internal use - you're possibly causing harm to yourself
by using "real" addresses designated to someone else on the Internet.
For private network addresses. please see .

Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)