Re: Linux IPChains Question
From: stewart menday (stewart)
Date: 10/13/03
- Next message: n1pop_at_hotmail.com: "Re: tracking cookie?"
- Previous message: Tod: "Re: HELP-MS firewall will not enable"
- In reply to:(deleted message) The Saint: "Re: Linux IPChains Question"
- Next in thread: The Saint: "Re: Linux IPChains Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 13 Oct 2003 12:11:52 +1000
Thanks for all the help so far.
I'm new to this stuff. At the moment I haven't set NAT up, the computer on
the other side has a routable IP address (I don't tend on leaving it this
way), so I cannot see why my rules don't work, I originally tried it with
NAT and it didn't work so I took a step back and tried it with the routable
IP but it still doesn't work. What is wrong with my 2 simple rules?
ipchains -P forward DENY
ipchains -A forward -s my.routable.ip.address -j ACCEPT
"The Saint" <gur_fnvag@gurfnvag.v-c.pbz> wrote in message
news:1100802744.41d329a0@thesaint.i-p.com...
> Devdas Bhagat wrote:
>
> >On Fri, 10 Oct 2003 07:24:18 +0000 (UTC), Nicholas Suan
<nsuan@nonexiste.net>
> >poured into the usenet group comp.security.firewalls:
> >> "stewart menday" <stewart at webstorm.net.au> wrote in
news:3f8619d6$0$95047$c30e37c6@lon-reader.news.telstra.net:
> >>
> >>> Hi All
> >>> I am trying to setup a bit of a firewall with Red Hat Linux 7
using
> >>> IPChains. I want to disable forwarding for everyone except machines
> >>> connected to my network (one win2000 machine), I have the following
rules
> >>>
> >>> ipchains -P forward DENY
> >>> ipchains -A forward -s myipaddress -j ACCEPT
> >>>
> >>> but it doesn't seem to work, I cannot ping (or anything else) anything
> >>> outside my network, it all works fine if the default policy is ACCEPT.
> >>>
> >>> What am I doing wrong? Any help would be great.
> >>>
> >I suggest adding an explicit DENY and log rule at the end.
>
> With ipchains, there is no need for that if you set the policy to
> deny. With iptables, if you set the forwarding policy to drop, you
> usually only need to add an end target (DROP) if you are logging.
>
> >Your ruleset boils down to this:
> >
> >#ipchains -P FORWARD DENY
> >ipchains -A FORWARD -s my.ip.add.ress -d 0.0.0.0/0 -j ACCEPT
> >ipchains -A FORWARD -j DENY
>
> The only reason I would add a target of deny at the end would be for
> logging, which you left off. Besides that, it's essentially the exact
> same thing, except you effectively can't add any more forwarding rules
> later in the chain.
>
> >Since ipchains does not maintain state, your reverse traffic hits the
DENY
> >rule and gets dropped.
>
> It will be denied with your two-line chain as well. You are not going
> to get any packets on your NATed inside computers without
> masquerading.
>
> >I would recommend iptables here (makes life much simpler).
>
> I couldn't agree more. Iptables is much more flexible IMHO.
>
> >iptables -t filter -P FORWARD DROP
> >iptables -t filter -A FORWARD -s my.ip.add.ress -d 0.0.0.0/0 -j ACCEPT
> >iptables -t filter -A FORWARD -s 0.0.0.0/0 -d my.ip.add.ress -m state \
> >--state ESTABLISHED,RELATED -j ACCEPT
> >iptables -t filter -A FORWARD -j LOG
> >iptables -t filter -A FORWARD -j DROP
>
> The filter table is loaded by default, making "-t filter" unnecessary.
> Also, if you expect to see any returning packets to a NATed inside
> computer, you need to add something like this:
> iptables -A POSTROUTING -t nat -o $external_if -j MASQUERADE
>
> >> Reverse them.
> >He has a policy and a single rule. Nothing to reverse.
>
> Effectively, so does yours.
>
> In short, I believe that his problem is masquerading, not policy
> rules.
>
- Next message: n1pop_at_hotmail.com: "Re: tracking cookie?"
- Previous message: Tod: "Re: HELP-MS firewall will not enable"
- In reply to:(deleted message) The Saint: "Re: Linux IPChains Question"
- Next in thread: The Saint: "Re: Linux IPChains Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
