Re: [Masq] ipchains problem

Tue, 05 Sep 2000 23:20:38 -0700 

/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! 
/* ALSO: Don't quote this header. It makes you look lame :-) */


Reckhard, Tobias wrote:

> /* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! 
> /* ALSO: Don't quote this header. It makes you look lame :-) */
> 
> 
> Hi
> 
> > On Tue, 5 Sep 2000, raf wrote:
> > 
> > : > ACCEPT tcp ------ mail.pcraft.com  yeehaw.csd.net   any ->   shell
> > : > ACCEPT tcp ------ yeehaw.csd.net   mail.pcraft.com  shell ->
> > 1024:65535
> > : 
> > : this looks wrong: why accept incoming packets from any port but only
> > : accept outgoing packets to unprivileged ports? if a packet comes in
> > 
> >     This was changed two minutes after I had sent my message out to
> > be 'any -> shell' and 'shell -> any', it still did the same thing: refuse
> > from both ends.
> > 
> Have you tried 'checking' your chains with packets like those that you
> describe? Try something like the following:
> 1. Check if DNS lookups on the names concerned work.
> 2. Check the chains:
>      ipchains -C input -s mail.pcraft.com 1234 -d yeehaw.csd.net 514 -p tcp
> -i <INIF>
>      ipchains -C forward -s mail.pcraft.com 1234 -d yeehaw.csd.net 514 -p
> tcp -i <OUTIF>
>      ipchains -C output -s mail.pcraft.com 1234 -d yeehaw.csd.net 514 -p tcp
> -i <OUTIF>
> 
> and see if the packet makes it through. If it doesn't, try to find the
> offending rule by removing parts of the chains and repeating the above.

the package at http://www.zip.com.au/~raf2/lib/software/firewall/
contains a utility called fwhelper that makes this sort of analysis
much easier. if you capture tcpdump output while sending the packets
in question, and then turn on your packet filter and then pass the
tcpdump output through fwhelper, it will tell you exactly which rules
match or don't match each packet. it's like ipchains -C except that it
tells you why each packet is accepted or denied.

raf

_______________________________________________
Masq maillist  -  [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- 
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]

PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.

Reply via email to