Ipchains Woes

Patrick Fleming EA plug-discuss@lists.plug.phoenix.az.us
Mon, 25 Feb 2002 20:04:30 -0700 (MST) 

Try ipchains -C on your rules. It takes some time to diagnose the problem 
sometimes, but it can help to determine which side the rules aren't 
working on. As was suggested elsewhere, you could add the -l flag to each 
rule and see which one drops the packets.
Also, are you flushing the rulesets at the begining of the script to make 
sure nothing is hanging around from an old deleted chain?



On Mon, 25 Feb 2002, Steve Holmes wrote:

> Actually, I can't do it from the firewall box nor the inside.  One thing I
> can tell for sure, I can communicate back and forth between the local
> boxes but nobody can get outside with ping, traceroute, dig or any of
> those good buddies.  The forward chain does look identical to what you
> suggested below.  I need to dig into the input chain, I believe.  This
> package script uses an inet-in rule to set up the various permissions and
> the internet device (netward card) is defaulted to this internet rule.  If
> allowed through, those ports are '-j ACCEPT'.  But devices lo (loopback)
> and LAN card (eth0 in my case) both default to input -j ACCEPT so they
> should be getting through no matter what, I would think.  So I'm either
> missing something or there may be a bug in my implementation of ipchains.
> 
> On 25 Feb 2002, Craig White wrote:
> 
> > On Mon, 2002-02-25 at 05:32, Steve Holmes wrote:
> > > I'm running a 2.2.20 kernel thus use ipchains for the firewall.  What I am
> > > trying to do is fairly basic; I have a recent copy of endoshield, a common
> > > firewall script which I ported to use ipchains as well as iptables.  My
> > > problem is when I run the script, I lose all connectivity with the outside
> > > world.  The behavior completely changes as soon as the default policy is
> > > changed on the input chain.  When it is ACCEPT, all gets through fine;
> > > obviously not good for firewall purposes but I can get out.  As soon as it
> > > goes to DENY, I can no longer get through.  The default policy for forward
> > > chain is always set to DENY and the output chain is ACCEPT.  The
> > > /proc/sys/net/ip_farward is set to 1 for ip masquerade and I have a
> > > variety of rules set to open desired ports. Those rules are a part of a
> > > custom chain called inet-in and inet-in is linked to the input chain.
> > >
> > > I know this all sounds veague at the moment but if anyone knows much about
> > > ipchains, I'll be glad to share the script I am using with them to compare
> > > for any possible errors.  I could post it to the list but is quite lengthy
> > > so I think I'll hold off unless there is enough interest:).
> > >
> > > Any ideas or help would be greately appriciated.  BTW, I have an ip
> > > masqueraded network of several machines and the masquerade portion has
> > > been working great all along and still does when I can this new firewall
> > > implementation:).
> > >
> > -----
> > It is unclear as to which cannot get out when your firewall scripts are
> > running - your firewall box or the masqueraded machines on the local lan
> > behind the firewall.
> >
> > If the firewall box can get to the internet no problem, then the first
> > thing I would check would be the forward script for masquerading which
> > should look something like...
> >
> >   /sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INTLAN -d $UNIVERSE
> >
> > obviously you need to replace the $variables with something that matches
> > for you.
> >
> > if you don't want to show us your scripts, it's simply a guess as to the
> > problem but remember - ping/telnet/traceroute are your friends.
> >
> > Craig
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 

-- 
Patrick Fleming, EA
Licensed to represent taxpayers
before Exam, Appeals, and Conference 
divisions of the IRS