Ipchains Woes
Steve Holmes
plug-discuss@lists.plug.phoenix.az.us
Tue, 26 Feb 2002 04:52:45 -0700 (MST)
I know, but as soon as I make default policy to DENY on the input chain,
all connectivity to the outside is lost. Here was a basic set of rules at
my last test.
ipchains -P input DENY
ipchains -A input -i lo -j ACCEPT
ipchains -A input -i eth0 -j ACCEPT
ipchains -P forward DENY
ipchains -A forward -s 192.168.1.0/24 -j MASQ
ipchains -P output -j ACCEPT
Now at this point I tried adding something like
ipchains -A input -i eth1 -p ! -y --dport 1025:65535 -j ACCEPT
to the chains with no change; At this point, I can get around fine on the
local area network but from any machine inside or the firewalled machine
itself, I cannot ping anything other than the DNS itself. That is
interesting in itself. My Static ip is 24.221.98.238 and the dns is
24.221.30.3 and I cn ping that with no trouble but I cannot ping other IP
address in other network address ranges. Not sure why that be the case.
All other protocols are "no go".
Just messing around, but as soon as I added a rule like
ipchains -A input -i eth1 -j ACCEPT
then it was wide open. that makes sense to me and is what I would expect.
So at least ipchains is recognizing the network devices. I do find it
interesting that ipchains -L did not specifically mention the device
names. It showed ----lo but the entries that should have been eth0 and
eth1 showed up as ------. Shouldn't it have shown the eth devices
clearly?
Thanks for the help so far.
On 25 Feb 2002, Craig White wrote:
> wow - 2 messages in 1 day David.
>
> as default policy - ACCEPT is a really poor idea for ipchains - for
> testing purposes, OK - but it will ultimately have to be changed to
> REJECT or DENY to have some security and piece of mind...be it forward,
> input or output.
>
> Craig
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>