Ipchains Woes
Steve Holmes
plug-discuss@lists.plug.phoenix.az.us
Wed, 27 Feb 2002 10:24:44 -0700 (US Mountain Standard Time)
I'm not on my home - just getting mail from work right now. But let me
say that in a different form, I am already "permitting" traffic from my
local network (192.168.1.0/24) through the input chain; I used -i eth0
rather than specify the ip address; don't know if that is an issue or not.
I should also point out that I can use a browser or ping to get to ip
addresses outside on the Net. But I cannot use my DNS. The 'dig' command
simply hangs waiting for response from the name server. As I said
previously, adding port 53 (both tcp and udp) yield nothing. What seemed
to make the difference tfor me was openning up ports tcp 1024:65535. I
used "! -y" per Craig's suggestion from the otherday for better security.
Upon doing that, I could establish an HTTP and FTP with any I/P address
but not a "named" site. If I haven't figured this out by tonight, I will
attach transcripts of the suggested commands from Craig's message. As a
preview, The pings mentioned are successful and the ipchains -L should be
interesting to look at; it doesn't show the actual interface names but the
rules get built and recent tests show that the -i parameter is being used
correctly.
On Wed, 27 Feb 2002, Patrick Fleming EA wrote:
> On Wed, 27 Feb 2002, Steve Holmes wrote:
>
> > OK, I can lynx to other sites and I can ping along as I use numeric ip
> > addresses. Here is the test firewall script I am currently using when I
> > do this. BTW, ports 53 (both udp and tcp) do not yield me any thing. I
> > use a regular name server at 24.221.30.3.
> > ------------------
> > #!/bin/sh
> > # Firewall testing script
> >
> > ipchains -P input DENY
> > ipchains -P forward DENY
> > ipchains -P output ACCEPT
> >
> > ipchains -A forward -s 192.168.1.0/24 -i eth1 -j MASQ
> > ipchains -A input -i lo -j ACCEPT
> > ipchains -A input -i eth0 -j ACCEPT
> > ipchains -A input -p tcp ! -y --dport 1024:65535 -j ACCEPT
> > ipchains -A input -p icmp -j ACCEPT
>
> AHA! I think I see your problem.
> ipchains requires transversal of all three input, output, forward.
> Add:
> ipchains -A input -s 192.168.1.0/24 -i eth1 -j ACCEPT
> ipchains -A output -s 192.168.1.0/24 -i eth1 -j ACCEPT
> as well as for the other rules. I would be willing to bet that if you
> tried: ipchains -C input -p tcp -s $someip $someport -d $netinterface
> $someport -i eth1
> on the CL it would return denied.
>
>
>
>
> >
> >
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
>
> --
> Patrick Fleming, EA
> Licensed to represent taxpayers
> before Exam, Appeals, and Conference
> divisions of the IRS
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>