Setup: Running Redhat Linux 6.2
ipchains 1.3.9, 17-Mar-1999
[Ipchains Beginner alert]
Hope there is room for this kind of beginner question here.
I've worked up and installed an iphcains based firewall from the web
pages: http://www.linux-firewall-tools.com/linux/firewall/
Only a small portion is shown here.
I selected to block incoming telnet but elected to keep outgoing
telnet. I think these are the rules involved:
# TELNET client (23)
# ------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 23 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 23 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
Assuming my understanding is at least close, it looks like the
`output' rule allows me to telnet out on any UNPRIVPORTS as long as
the destination is to port 23 on remote host.
Now I want to telnet to port 25 on a specific host. Since this is a
single user machine and I have root privileges, I thought I could
just add a rule that allows that manually.
Opened a root xterm and first set and exported the needed VARIABLES as
they are set in the firewall script:
EXTERNAL_INTERFACE=eth0 ; export EXTERNAL_INTERFACE
IPADDR=my.ip.address ; export IPADDR
UNPRIVPORTS="1024:65535" ; export UNPRIVPORTS
Then run an ipchains add command by editing the `output' rule above
changing only the destination-port:
# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 25 -j ACCEPT <RET>
It seems that this would allow me to attempt telnetting to a remote
host on port 25. Watching the sylog output with `tail -f' and
attempting:
# telnet spe.cific.host 25
I see (wrapped for clarity):
Sep 16 06:30:54 reader kernel: Packet log: output REJECT eth0 PROTO=6
my.ip.addrss:4022 xx.xxx.xxx.xx:25 L=60 S=0x00 I=20428 F=0x0000 T=64
SYN (#42)
So thinking I need to restart something I run:
/etc/rc.d/init.d/inet restart
/etc/rc.d/init.d/network reload
After each one I try telnetting again, but each time I get the same
message as above.
Clear enough that I'm missing the boat here in some important way.
Now about that `input' rule above:
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 23 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
I'm having a little trouble understanding the intent here. If the "!"
inverts the meaning of "-y" which is:
Only match TCP packets with the SYN bit set and the ACK
and FIN bits cleared. Such packets are used to request
TCP connection initiation; for example, blocking such
packets coming in an interface will prevent incoming TCP
connections, but outgoing TCP connections will be
unaffected. This option is only meaningful when the
protocol type is set to TCP. If the "!" flag precedes
the "-y", the sense of the option is inverted.
Looks as if the intent is to block the described packets. So would
using the same rule but dropping the "!" and replacing ACCEPT with
DENY, have the same effect?
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
--source-port 23 \
-d $IPADDR $UNPRIVPORTS -j DENY
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
