Ipchains Woes

Steve Holmes plug-discuss@lists.plug.phoenix.az.us
Mon, 25 Feb 2002 14:30:00 -0700 (US Mountain Standard Time) 

Actually, I can't do it from the firewall box nor the inside.  One thing I
can tell for sure, I can communicate back and forth between the local
boxes but nobody can get outside with ping, traceroute, dig or any of
those good buddies.  The forward chain does look identical to what you
suggested below.  I need to dig into the input chain, I believe.  This
package script uses an inet-in rule to set up the various permissions and
the internet device (netward card) is defaulted to this internet rule.  If
allowed through, those ports are '-j ACCEPT'.  But devices lo (loopback)
and LAN card (eth0 in my case) both default to input -j ACCEPT so they
should be getting through no matter what, I would think.  So I'm either
missing something or there may be a bug in my implementation of ipchains.

On 25 Feb 2002, Craig White wrote:

> On Mon, 2002-02-25 at 05:32, Steve Holmes wrote:
> > I'm running a 2.2.20 kernel thus use ipchains for the firewall.  What I am
> > trying to do is fairly basic; I have a recent copy of endoshield, a common
> > firewall script which I ported to use ipchains as well as iptables.  My
> > problem is when I run the script, I lose all connectivity with the outside
> > world.  The behavior completely changes as soon as the default policy is
> > changed on the input chain.  When it is ACCEPT, all gets through fine;
> > obviously not good for firewall purposes but I can get out.  As soon as it
> > goes to DENY, I can no longer get through.  The default policy for forward
> > chain is always set to DENY and the output chain is ACCEPT.  The
> > /proc/sys/net/ip_farward is set to 1 for ip masquerade and I have a
> > variety of rules set to open desired ports. Those rules are a part of a
> > custom chain called inet-in and inet-in is linked to the input chain.
> >
> > I know this all sounds veague at the moment but if anyone knows much about
> > ipchains, I'll be glad to share the script I am using with them to compare
> > for any possible errors.  I could post it to the list but is quite lengthy
> > so I think I'll hold off unless there is enough interest:).
> >
> > Any ideas or help would be greately appriciated.  BTW, I have an ip
> > masqueraded network of several machines and the masquerade portion has
> > been working great all along and still does when I can this new firewall
> > implementation:).
> >
> -----
> It is unclear as to which cannot get out when your firewall scripts are
> running - your firewall box or the masqueraded machines on the local lan
> behind the firewall.
>
> If the firewall box can get to the internet no problem, then the first
> thing I would check would be the forward script for masquerading which
> should look something like...
>
>   /sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INTLAN -d $UNIVERSE
>
> obviously you need to replace the $variables with something that matches
> for you.
>
> if you don't want to show us your scripts, it's simply a guess as to the
> problem but remember - ping/telnet/traceroute are your friends.
>
> Craig
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>