I answer inside your message:
> [Ipchains Beginner alert]
>
> Hope there is room for this kind of beginner question here.
>
> I've worked up and installed an iphcains based firewall from the web
> pages: http://www.linux-firewall-tools.com/linux/firewall/
> Only a small portion is shown here.
>
> I selected to block incoming telnet but elected to keep outgoing
> telnet. I think these are the rules involved:
>
> # TELNET client (23)
> # ------------------
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> --destination-port 23 -j ACCEPT
I, too, am a beginner, but I don't think you need to worry about what is going out.
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> --source-port 23 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> Assuming my understanding is at least close, it looks like the
> `output' rule allows me to telnet out on any UNPRIVPORTS as long as
> the destination is to port 23 on remote host.
That is true, but again, I would probably not worry about having this rule.
> Now I want to telnet to port 25 on a specific host. Since this is a
> single user machine and I have root privileges, I thought I could
> just add a rule that allows that manually.
>
> Opened a root xterm and first set and exported the needed VARIABLES as
> they are set in the firewall script:
>
> EXTERNAL_INTERFACE=eth0 ; export EXTERNAL_INTERFACE
> IPADDR=my.ip.address ; export IPADDR
> UNPRIVPORTS="1024:65535" ; export UNPRIVPORTS
>
> Then run an ipchains add command by editing the `output' rule above
> changing only the destination-port:
>
> # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> --destination-port 25 -j ACCEPT <RET>
You don't need to do this if you use # ipchains -A output -i $EXTERNAL_INTERFACE -s
$IPADDR -j ACCEPT,
which would allow any packets out of your machine. To allow the packets coming back
from the remote machine
port 25, you could do this:
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 25 --destination-port 25 -j ACCEPT
I have to say, I don't know if you will be outgoing on your port 25 (as above) or any
random $UNPRIVPORTS.
Just change --destination-port.
Are you putting these in a script? Be aware that the first rule that matches will be
the one to decide the fate
of the packet. If you enter these at a command prompt, it will be that last rule in
the output chain (unless you
specify where you want the rule).
> It seems that this would allow me to attempt telnetting to a remote
> host on port 25. Watching the sylog output with `tail -f' and
> attempting:
>
> # telnet spe.cific.host 25
>
> I see (wrapped for clarity):
>
> Sep 16 06:30:54 reader kernel: Packet log: output REJECT eth0 PROTO=6
> my.ip.addrss:4022 xx.xxx.xxx.xx:25 L=60 S=0x00 I=20428 F=0x0000 T=64
> SYN (#42)
>
> So thinking I need to restart something I run:
>
> /etc/rc.d/init.d/inet restart
> /etc/rc.d/init.d/network reload
>
Do you also restart the firewall?
> After each one I try telnetting again, but each time I get the same
> message as above.
>
> Clear enough that I'm missing the boat here in some important way.
>
>
> Now about that `input' rule above:
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> --source-port 23 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> I'm having a little trouble understanding the intent here. If the "!"
> inverts the meaning of "-y" which is:
>
> Only match TCP packets with the SYN bit set and the ACK
> and FIN bits cleared. Such packets are used to request
> TCP connection initiation; for example, blocking such
> packets coming in an interface will prevent incoming TCP
> connections, but outgoing TCP connections will be
> unaffected. This option is only meaningful when the
> protocol type is set to TCP. If the "!" flag precedes
> the "-y", the sense of the option is inverted.
>
> Looks as if the intent is to block the described packets. So would
> using the same rule but dropping the "!" and replacing ACCEPT with
> DENY, have the same effect?
The intent of ! is to mean "packets returning as an acknowledment to a request". For
instance, if a client
behind the firewall requests a www page, the www server will respond with packets
marked as acknowledgments.
If the same client serves a web page, outside clients cannot successfully request www
content, because they are sending a tcp SYN request.
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
> --source-port 23 \
> -d $IPADDR $UNPRIVPORTS -j DENY
>
So, this command says that if the packet input on the external interface is a SYNc set
packet coming from
a source port 23 with a destination of any unpriveledged port, it will be denied (no
one can telnet to your client).
If any of this sounds wrong, I apologize. I've gotten alot of help from this guys, so
I want to try to help others.
Adam
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
