I am in the process of setting up ipchains for a customer.
They want the firewall in a "mostly closed" arrangement.
I've already checked (with ipchains -C) and packets pass, however, when I
put as a last rule in a user chain "-j DENY" packets die.
Here is the firewall:
eth0 - directly connected to Cisco Router (gateway out to ISP)
eth1 - connected to DMZ
eth2 - connected to non-routable network (192.168.0.x)
My only problem is with filtering packets. For simplicity, I will show
one rule and one IP. Assume all else is ACCEPTed. (The firewall has over
300 individual rules). Real IP addresses have been changed to protect
the innocent. The "simple" ipchain (out-dmz chain is from outside into
dmz):
INPUT chain, ACCEPTED
OUTPUT chain, ACCEPTED
FORWARD chain, if IP matches 111.222.333.0/24, -j out-dmz
out-dmz chain:
ACCEPT, tcp, src: anywhere, dest: 111.222.333.4, ports: * -> 25
ACCEPT, icmp, all addr, all error types & ping/pong (no redirects)
DENY, (all else), logged
I captured a log and what it shows (for example):
1) Outgoing SMTP connection from the 111.222.333.4 server getting denied:
out-dmz DENY eth1 PROTO=6 (outside system):25 111.222.333.4:31050
It appears that when my system sends a message out, since the address on
the FORWARD chain routes any incoming packet to "out-dmz" chain, the chain
is correctly branched to. But, when an outgoing SMTP connection occurs,
the resulting port on my server's side is some random number.
I've experienced this with any connection going out. All connections
going out go correctly, however, the return packet lands on a random port
number.
----------------------
How can I have a "mostly closed" firewall for all my systems if the random
port comes up on the return packet?
I'm trying to only open holes in the firewall for the inbound services,
but in the case of things like telnet and SMTP, there is a problem (like
when that SMTP server sends to a system outside). I can't specify a
source in the above example, since my SMTP server is a true mail server
servicing people inside the building (servicing both inbound and outbound
requests).
I have not specified anything other than the normal flags for the chain.
For the above example, the command I used to insert it into the chain:
ipchains -I out-dmz -p tcp -d 111.222.333.4 25 -j ACCEPT
Can anyone help with the "random port" problem on return packets?
-====---====---====---====---====---====---====---====---====---====---====-
to unsubscribe email "unsubscribe linux-admin" to [EMAIL PROTECTED]
See the linux-admin FAQ: http://www.kalug.lug.net/linux-admin-FAQ/
