Jim Roland wrote:
>
> I am in the process of setting up ipchains for a customer.
>
> They want the firewall in a "mostly closed" arrangement.
>
> I've already checked (with ipchains -C) and packets pass, however, when I
> put as a last rule in a user chain "-j DENY" packets die.
>
> Here is the firewall:
> eth0 - directly connected to Cisco Router (gateway out to ISP)
> eth1 - connected to DMZ
> eth2 - connected to non-routable network (192.168.0.x)
>
> My only problem is with filtering packets. For simplicity, I will show
> one rule and one IP. Assume all else is ACCEPTed. (The firewall has over
> 300 individual rules). Real IP addresses have been changed to protect
> the innocent. The "simple" ipchain (out-dmz chain is from outside into
> dmz):
>
> INPUT chain, ACCEPTED
> OUTPUT chain, ACCEPTED
> FORWARD chain, if IP matches 111.222.333.0/24, -j out-dmz
> out-dmz chain:
> ACCEPT, tcp, src: anywhere, dest: 111.222.333.4, ports: * -> 25
> ACCEPT, icmp, all addr, all error types & ping/pong (no redirects)
> DENY, (all else), logged
>
> I captured a log and what it shows (for example):
> 1) Outgoing SMTP connection from the 111.222.333.4 server getting denied:
> out-dmz DENY eth1 PROTO=6 (outside system):25 111.222.333.4:31050
>
> It appears that when my system sends a message out, since the address on
> the FORWARD chain routes any incoming packet to "out-dmz" chain, the chain
> is correctly branched to. But, when an outgoing SMTP connection occurs,
> the resulting port on my server's side is some random number.
>
> I've experienced this with any connection going out. All connections
> going out go correctly, however, the return packet lands on a random port
> number.
>
> ----------------------
>
> How can I have a "mostly closed" firewall for all my systems if the random
> port comes up on the return packet?
>
> I'm trying to only open holes in the firewall for the inbound services,
> but in the case of things like telnet and SMTP, there is a problem (like
> when that SMTP server sends to a system outside). I can't specify a
> source in the above example, since my SMTP server is a true mail server
> servicing people inside the building (servicing both inbound and outbound
> requests).
>
> I have not specified anything other than the normal flags for the chain.
> For the above example, the command I used to insert it into the chain:
> ipchains -I out-dmz -p tcp -d 111.222.333.4 25 -j ACCEPT
>
> Can anyone help with the "random port" problem on return packets?
>
it is "random". you could put a rule resembling "permit ip any any
established".
/sbin/ipchains -A input -p TCP -s 0/0 ! -y -j ACCEPT
and permit everything comming from port 25.
Camelia N.
--
Camelia Nastase
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
