Ferenc Tamas Gyurcsan did expound, once apon a Today:
> Hi everybody,
>
> I set up rules for a masq firewall, but the talk stopped working afterwards
> with the ${SUBJECT} nice little message.
I don't know what "with the ${SUBJECT} nice little message" means, but I
think I can help you.
> I figured out that the problem was that I started out this way:
> ipchains -P input DENY
> ipchains -P forward DENY
> ipchains -P output DENY
Ain't IPCHAINS fun? :)
> If I have both input and output denied, talk doesn't work on localhost
> anymore. Alright, I tried to accept everything from the localhost:
> ipchains -A input -s 127.0.0.0/8 -d 0/0 -i lo -j ACCEPT
> ipchains -A output -s 127.0.0.0/8 -d 0/0 -i lo -j ACCEPT
>From whay you've said it seems to me that you want talk to work for anyone
on the local machine, but not from another machine on your local network,
and not from your external network.
There are a few things you need to realize:
1) Talk is a UDP service.
1) your machine has 3 IP addresses. On the local machine, a packet could
concievably originate from any of them, and still have originated on
the local machine. I don't understand how the kernel decides what IP a
packet originates from, but my experience tells me it ISN'T what you
would think it would logically be. But then again, I may be on crack.
2) You need to allow talk both FROM the local machine, and TO the local
machine.
3) The source port for a talk connection will be a randomly assigned,
non-priveledged port.
That last one is the part that makes this very tricky. You almost have to
allow everything in to let stuff like this work. Explaining this would be
much easier if I knew what IP addresses you had assigned. I'm just going
to assume your IP addresses are 192.168.1.1 for your internal card, and
24.1.1.1 for your external connection. I'll also assume that your eth0 is
for internal network and eth1 is for external connection (this is
preferable IMO). You will need to do something like this:
# accept talk traffic FROM local machine
ipchains -A input -s 127.0.0.0/8 -d 0/0 517 -p UDP -j ACCEPT
# accept talk TO local machine, if it originates from a local IP
ipchains -A input -s 192.168.1.1 -d 127.0.0.1 517 -p UDP -j ACCEPT
ipchains -A input -s 24.1.1.1 -d 127.0.0.1 517 -p UDP -j ACCEPT
Note that if you do it this way, you MAY need to do something like this
for EVERY chain (input, forward, and output), and you *WILL* need to do it
for EVERY service you want to allow, if all of your default policies are
DENY.
Also note that in and of itself, this does not prevent IP spoofing, but
the kernel has an option that makes sure that IP packets originate from
the interface that match their IP address. I don't remember which one it
is off the top of my head (OTTOMH) but I think it's one of the ones that
makes firewalling work, so you probably already have it turned on.
Make sure you are not running version 2.2.11 -- it has a memory leak that
will eventually crash your system. It might have been 2.2.12 -- I can't
remember. Just make sure you're up to date and you don't need to worry
about it.
I highly recommend that you read and re-read the IPCHAINS Howto.
--
PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt
------------------------------------------------------
Derek D. Martin | Unix/Linux geek
[EMAIL PROTECTED] | [EMAIL PROTECTED]
------------------------------------------------------
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
