Re: Linux IPChains Question

From: Devdas Bhagat (devdas_at_users.sourceforge.net)
Date: 10/12/03

  • Next message: Alan Westrop: "Help configuring USR9003 for MSN Zone" 
    Date: 12 Oct 2003 09:14:36 GMT

    On Fri, 10 Oct 2003 07:24:18 +0000 (UTC), Nicholas Suan <nsuan@nonexiste.net>
    poured into the usenet group comp.security.firewalls:
    > "stewart menday" <stewart at webstorm.net.au> wrote in news:3f8619d6$0$95047$c30e37c6@lon-reader.news.telstra.net:
    >
    >> Hi All
    >> I am trying to setup a bit of a firewall with Red Hat Linux 7 using
    >> IPChains. I want to disable forwarding for everyone except machines
    >> connected to my network (one win2000 machine), I have the following rules
    >>
    >> ipchains -P forward DENY
    >> ipchains -A forward -s myipaddress -j ACCEPT
    >>
    >> but it doesn't seem to work, I cannot ping (or anything else) anything
    >> outside my network, it all works fine if the default policy is ACCEPT.
    >>
    >> What am I doing wrong? Any help would be great.
    >>
    I suggest adding an explicit DENY and log rule at the end.
    Your ruleset boils down to this:

    #ipchains -P FORWARD DENY
    ipchains -A FORWARD -s my.ip.add.ress -d 0.0.0.0/0 -j ACCEPT
    ipchains -A FORWARD -j DENY

    Since ipchains does not maintain state, your reverse traffic hits the DENY
    rule and gets dropped.

    I would recommend iptables here (makes life much simpler).
    iptables -t filter -P FORWARD DROP
    iptables -t filter -A FORWARD -s my.ip.add.ress -d 0.0.0.0/0 -j ACCEPT
    iptables -t filter -A FORWARD -s 0.0.0.0/0 -d my.ip.add.ress -m state \
    --state ESTABLISHED,RELATED -j ACCEPT
    iptables -t filter -A FORWARD -j LOG
    iptables -t filter -A FORWARD -j DROP

    > Reverse them.
    He has a policy and a single rule. Nothing to reverse.

    Devdas Bhagat
    <snip>

  • Next message: Alan Westrop: "Help configuring USR9003 for MSN Zone"

    Relevant Pages

    • Re: Linux IPChains Question
      ... >I suggest adding an explicit DENY and log rule at the end. ... With ipchains, there is no need for that if you set the policy to ... The filter table is loaded by default, ...
      (comp.security.firewalls)
    • Re: ipchains doesnt work with RH 9.1 (router)
      ... >I'm using FreeBSD as a router and it works well so far. ... >I've been using RH 7 and ipchains to do basically the same. ... >ipchains -P forward DENY ... ipchains has been replaced by iptables. ...
      (comp.os.linux.networking)
    • Re: Prevent access to linux server when mac adress does not match ip adress
      ... Iptables has much more features than ipchain. ... Prior to the 2.2.x kernel, the firewall was controlled by "ipfwadm". ... introduced the IPCHAINS tool to control that. ... Often the upgrade is too big and bulky for the older ...
      (comp.os.linux.networking)
    • Re: IPChains with RH 9? "Protocol not available"
      ... Yes, iptables is way more versatile than ipchains, and ipchains ... is no longer supported in the redhat kernel by default. ... is RH 9 stock kernel still support ipchains? ...
      (RedHat)
    • Re: A Question On Ipchains Input Rules
      ... If RH72 allows using iptables instead of ipchains, ... return packets for any established connections, ... outbound SMTP sessions, you just allow outbound SMTP, and the ...
      (comp.os.linux.security)
    • Quantcast