Ipchains Woes

[Craig White]

On Mon, 2002-02-25 at 14:30, Steve Holmes wrote:
> Actually, I can't do it from the firewall box nor the inside.  One thing I
> can tell for sure, I can communicate back and forth between the local
> boxes but nobody can get outside with ping, traceroute, dig or any of
> those good buddies.  The forward chain does look identical to what you
> suggested below.  I need to dig into the input chain, I believe.  This
> package script uses an inet-in rule to set up the various permissions and
> the internet device (netward card) is defaulted to this internet rule.  If
> allowed through, those ports are '-j ACCEPT'.  But devices lo (loopback)
> and LAN card (eth0 in my case) both default to input -j ACCEPT so they
> should be getting through no matter what, I would think.  So I'm either
> missing something or there may be a bug in my implementation of ipchains.
> 
---
OK - first things first...

if you try ifconfig|less

it will tell you what the configuration is for each interface...I am
presuming that you have an eth0, eth1 and lo
eth0 should be your public ip or your lan ip address and the eth1 should
be whichever eth0 isn't.

If you enter...
ipchains -F input
ipchains -F output
ipchains -F forward
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT

you will have turned off all blocking rules - you can select the entire
mess in you mail client and click with the 3rd button in a terminal
window if you use KDE to keep from typing.

After this rule set is in place - try to ping some easy items...your
name server addresses in /etc/resolv.conf should be good ones - then try
to ping www.yahoo.com for good measure (tests whether your dns client
setup is good).

After this works - you can implement your rule sets and then try to ping
the same things - if this works, then you should be able to work thru
the masquerading on your lan computers but don't bother with them until
your firewall box can ping the internet freely.

If your firewall computer cannot ping the internet freely after the
introduction of the firewall rules then you probably need to look at
these types of things...

# Local interface, any source going to local net is valid.
/sbin/ipchains -A output -j ACCEPT -i $INTIF -s $UNIVERSE -d $INTLAN

# Loopback interface is valid.
/sbin/ipchains -A output -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d
$UNIVERSE

# Enabling all input REPLY (TCP/UDP) traffic on high ports."
/sbin/ipchains -A input -j ACCEPT ! -y -p tcp -s $UNIVERSE -d $EXTIP
1025-65535

The first 2 allowing stuff out is necessary and the last one - allowing
replies back in is necessary.

This all is too tough - I would HEAVILY recommend that you use something
intelligently worked through...
<http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/cHTML/TrinityOS-c-10.html#ss10.7>

This is David Ranch's strong rulesets for TrinityOS. They are
comprehensive and easy enough to track.

Craig