/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ Larry Lamb wrote: > Frode, > > You can't block all the input ports or connections won't make it back in. > To keep things from getting inside your network, deny forwarding and block > connections to known ports bound to the external NIC that you don't want > people to access. If you do a netstat -an and see a port listening on > 0.0.0.0, block it unless you want people to access it. Unfortunately > ipchains doesn't have the logic that some of the more advanced "stateful" > firewalls have on tracking outbound connections and opening the necessary > port to get back in. I've barely looked into iptables, but it's supposed to > be a lot more advanced so you may wish to look into this though I'm not sure > if it will allow what you're wishing. it will. > Good luck, > > Larry Lamb, CCNP, CCDA, MSCE, MCP+I > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf > Of Frode Hauge > Sent: Sunday, May 27, 2001 3:08 PM > To: [EMAIL PROTECTED] > Subject: [Masq] IPCHAINS ruleset that blocks all incoming but allows all > outbound > > I've scratched my head for a good 2-3 hours now and can't for the life of > me figure this out. I've hunted the web a bit and can't find anything > either. > > Granted, I may be having a seriously blind day, but here's what I'm trying > to do: > > 1) Block ALL incoming traffic to ALL ports using ALL protocols > 2) Allow the firewall machine and the masqueraded hosts behind it full > access. > > So, basically, I want to block everything incoming, unless they're packets > in response to connections alread established from behind the firewall. > > The "strong" rulesets I find on the net all seem to do the same thing. > Blocks > off some known "nasty" ports, but sets a catch-all rule to allow everything > else. The stronger they are, the more ports they block, but all seem to have > that catch-all allow at the end. you haven't looked hard enough. there are many ipchains scripts out there that do not take that approach. > Am I a total blockhead at the moment, or doesn't ipchains allow for incoming > packets on ports established from the firwall machine itself (and any > masqueraded hosts, of course)? This just seems to unlikely to be the case. > It shouldn't be able to call itself a firewall if this was true. ipchains is not stateful (like iptables). it has no idea whether or not an incoming udp packet is part of a "connection" or not. if your ipchains rules allow a udp packet in to a particular port, it allows all udp packets to that port. the same is almost true for tcp as well but at least the tcp protocol does really have connections and you can use "! -y" in rules to allow incoming tcp packets that look like they might be part of a connection. they may not be, and ipchains will let them in, but if they're not really part of an existing connection, then the tcp/ip stack will drop them anyway. as for masquerading, my aware that linux-2.2 uses the ports 61000-65096 for masqueraded connections (and 1024-4999 for local connections). so to allow incoming packets for existing tcp connections to the local host: ipchains -A input -p tcp -i $extif --sport 1024:4999 ! -y -j ACCEPT and to allow incoming packets for existing connections to masqueraded hosts: ipchains -A input -p tcp -i $extif --sport 61000:65096 ! -y -j ACCEPT > If I for the moment ignore the masq issue and just write out the very (I > thought) > simple idea as ipchains rules. I'm starting out EXTREMELY simple here. Since > I can't even get this much working there's not much point adding the more > "advanced" ideas I had. I chose to use no IPs for this example, the > interface > should do the job just fine. But I have tried using IPs too, with no more > luck: > > Default policies = DENY for forwarding, ALLOW for input and output there's also no point starting from an allow all stance, either. start with deny for everything and get that working. getting it working where you allow all incoming and outgoing packets serves no purpose. > #Allow all outbound connections on the adsl interface. Nevermind > #possible spoofing etc, just do it. The policy should allow this, but > #to illustrate I'll quote it here. > ipchains -A output -p all -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT > > #Block all incoming connections on the adsl interface. > ipchains -A input -p all -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 -j DENY that's not all connections, it's all packets. > My logic tells me this should work just dandy. And indeed it seems to.. > Sorta. > If I add logging and then attempt to connect to irc I get a screen full of > denies > from port 6667 of the remote irc server. What baffles me is that, since this > connection was established via the allowed output rule, the return packets > are still blocked. that's because you blocked all incoming packets. > I tried to search the archives, but the webserver just spits out an > "internal > error", so no luck there either. Hopefully this hasn't been asked 20 times > already this week. > read the ipchains howto, the firewall howto, the net howto and the ipchains man page. > > Thanks in advance, > > > Frode raf _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
