Re: Ipchains Question / Seeking Information.

[Devdas Bhagat]

On 08/10/02 14:06 -0400, Chris S wrote:
> I'm getting a good amount of these DENY's in my logs, but I'm not sure 
> exactly what they mean. 
> 
> Oct  7 19:51:45 furby kernel: Packet log: output DENY eth0 PROTO=6 
> 216.178.84.110:80 65.56.237.226:2002 L=48 S=0x00 I=17224 F=0x4000 T=64 (#2)

The SYN bit is not set, so it looks like this is a TCP response. There
was an old post about reading ipchains logs.
I can't recall which list it was on though (this
one/bugtraq/loganalysis/firewall-wizards).

> 216.178.84.110 Is the address binded to my webserver. To me it looks like my 
> webserver is trying to connect to 65.56.237.226 on port 2002 (the new linux 
> worm) I could be wrong about this, but im not sure. 
Or maybe a simple browser expecting a response? 

> I have these lines for IPChains so i dont know how or if im infected.
> Chain input (policy ACCEPT):
> target prot opt sourcedestination   ports
> DENY   tcp  l-  anywhere anywhere  any ->   
> 2002
> DENY   udp  l-  anywhere anywhere  any ->   
> 2002 
> 
> Chain output (policy ACCEPT):
> target prot opt sourcedestination   ports
> DENY   udp  l-  anywhere anywhere  any ->   
> 2002
> DENY   tcp  l-  anywhere anywhere  any ->   
> 2002 
You aren't looking for connections being initiated from your box, but
all connections to port 2002/tcp. I suggest that the tcp rules be
modified to look for the initial SYN bit set too, or you upgrade to
iptables.
You are probably looking at a webserver response to a perfectly normal
query.

Devdas Bhagat

Re: Ipchains Question / Seeking Information.

[Steve Bremer]

>  Is my webserver trying to make connections going out
> on these ports, or is my webserver being attacked on these ports. 
> 


Whether your web server is infected with the worm or not, I can't say 
for sure. But, according to the logs you've provided, it does appear 
to be your web server trying to connect to 65.56.237.226 on port 
2002.

Steve Bremer
NEBCO, Inc

RE: Ipchains Question / Seeking Information.

[Andrew H. Turner]

You might try checking this out:
http://www.cert.org/advisories/CA-2002-27.html

Look like you have the slapper worm...

Hope this helps.

-Andrew



Andrew H. Turner <[EMAIL PROTECTED]>
BBN Technologies, a Verizon Company
1300 N. 17th Street, Suite 1200
Arlington, Virginia 22209


-Original Message-
From: Chris S [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 08, 2002 2:06 PM
To: [EMAIL PROTECTED]
Subject: Ipchains Question / Seeking Information.


I'm getting a good amount of these DENY's in my logs, but I'm not sure 
exactly what they mean. 

Oct  7 19:51:45 furby kernel: Packet log: output DENY eth0 PROTO=6 
216.178.84.110:80 65.56.237.226:2002 L=48 S
=0x00 I=17224 F=0x4000 T=64 (#2)
Oct  7 19:51:48 furby kernel: Packet log: output DENY eth0 PROTO=6 
216.178.84.110:80 65.56.237.226:2002 L=48 S
=0x00 I=17805 F=0x4000 T=64 (#2)
Oct  7 19:51:48 furby kernel: Packet log: output DENY eth0 PROTO=6 
216.178.84.110:80 65.56.237.226:2002 L=48 S
=0x00 I=17842 F=0x4000 T=64 (#2) 

216.178.84.110 Is the address binded to my webserver. To me it looks like my 
webserver is trying to connect to 65.56.237.226 on port 2002 (the new linux 
worm) I could be wrong about this, but im not sure. 

I have these lines for IPChains so i dont know how or if im infected.
Chain input (policy ACCEPT):
target prot opt sourcedestination   ports
DENY   tcp  l-  anywhere anywhere  any ->   
2002
DENY   udp  l-  anywhere anywhere  any ->   
2002 

Chain output (policy ACCEPT):
target prot opt sourcedestination   ports
DENY   udp  l-  anywhere anywhere  any ->   
2002
DENY   tcp  l-  anywhere anywhere  any ->   
2002 

I'm also up todate on Openssl.
My question is,   Is my webserver trying to make connections going out on 
these ports, or is my webserver being attacked on these ports. 

 


Chris S.
www.jynx.net
[EMAIL PROTECTED]

Re: ipchains help

[catalyst]

On Fri, 20 Sep 2002, Nikolai wrote:
> I have setup the following rules for my ipchains:
> 
> :input ACCEPT
> :forward DENY
> :output ACCEPT
> 
> -A input -j DENY -p all -l -s 127.0.0.0/8 -i eth0 -d 0.0.0.0/0
> -A input -i eth0 -s 0/0 -d 0/0 -p tcp -y -j DENY -l

As you may see, the protocol you have DENY is "-p tcp" (at the second line).
You may add fully identical row at the end except proto=ICMP, like this:

-A input -i eth0 -s 0/0 -d 0/0 -p ICMP -j DENY -lor:
-A input -i eth0 -s 0/0 -d 0/0 8 -p ICMP -j DENY -l 

Good luck!


> 
> I did an online-based scan at scan.sygate.com and everything appears to
> be 'blocked' except ICMP service on port 8.
> 
> Can someone please help me with how to close this hole as well?
> 
> Some background:
> my kernel is 2.4.18 (with Mandrake 8.2)
> I'm new to Linux/GNU in general and security in particular.
> 
> Thanks
> Nikolai
-- 

Re: ipchains help

[Midkaemia]

On Saturday 21 Sep 2002 1:41 pm, Nikolai wrote:
> On Sat, 2002-09-21 at 05:41, Mike Arnold wrote:
> 

ditto 

> This one actually blocked me off from accessing the Internet altogether
> so I had to turn the rule off. No, my eth0 doesn't have 127.0.0.0/24
> address (to my best knowledge that is). My IP address is assigned
> through DHCP periodically (I'm using cable connection). Sorry if I sound
> as if I have no idea what's going on, I'm learning as I go along..
> Thanks for your help though

See  Dave <[EMAIL PROTECTED]> 's post. I'd forgotten about the DNS 
stuff since I use a caching DNS server which needs different config to this 
(you can a little tighter).

> Nikolai

Mike

Re: ipchains help

[Nikolai]

On Sat, 2002-09-21 at 05:41, Mike Arnold wrote:

> -A input -i eth0 -s 0/0 -d 0/0 -p icmp -l -j DENY 
> 
> I think

Thanks, the test returned 'blocked', I feel better now :-)

> You might also want to add
> 
> -A input -i eth0 -s 0/0 -d 0/0 -p udp -l -j DENY 
> 
> to block UDP protocols connections. I'm assuming your eth0 interface doesn't 
> have a 127.0.0.0/24 address - that is the loopback normally.


This one actually blocked me off from accessing the Internet altogether
so I had to turn the rule off. No, my eth0 doesn't have 127.0.0.0/24
address (to my best knowledge that is). My IP address is assigned
through DHCP periodically (I'm using cable connection). Sorry if I sound
as if I have no idea what's going on, I'm learning as I go along..
Thanks for your help though

Nikolai

Re: ipchains help

[Dave]

Hi,

Well in your line

   -A input -i eth0 -s 0/0 -d 0/0 -p tcp -y -j DENY -l

you specifically block ONLY tcp connection attempts.

so udp/icmp etc are still allowed.

You can use 
-A input  -p icmp -j DENY -l

but that still allows for UDP. You cannot block all UDP if you want DNS to 
work, so at this point you have to know what ports to allow through. i.e. 53

So that you allow DNS through first 

-A input -p udp -s DNS 53 -d  MACHINE UNPRIVILEGED_PORTS -j ACCEPT

Where:
DNS is your DNS Server 
MACHINE is your local ip_address (harder to get if Dynamic IP, so you can use 
0/0 it isn't much of a hole)   
UNPRIVILEGED_PORTS are ports from 1024:65535

then have a line.

-A input  -p udp -j DENY -l


This starts to become very easy to get in the wrong order, which is why most 
people? recommend setting up a firewall the other way round.

i.e. you should have  

input DENY
forward DENY
output DENY

And then specically allow through (in and out) the services that you want.  
You can still have nice input blocking lines like yours at the top; they just 
narrow down the available space for allowed connections.

It is more complex to set up and maintain this way, but you learn about 
IP, and it is slightly more secure. 

Note:
Currently your setup allows you to send anything out to the internet, and 
that can be as big a problem as allowing things in. However someone would 
have to be much more determined to get on to your box with your current rules 
than on to 90% of boxes out there. So it is a good start.

Good luck.

/Dave



On Friday 20 September 2002 02:05, Nikolai wrote:
> I have setup the following rules for my ipchains:
> :input ACCEPT
> :forward DENY
> :output ACCEPT
>
> -A input -j DENY -p all -l -s 127.0.0.0/8 -i eth0 -d 0.0.0.0/0
> -A input -i eth0 -s 0/0 -d 0/0 -p tcp -y -j DENY -l
>
> I did an online-based scan at scan.sygate.com and everything appears to
> be 'blocked' except ICMP service on port 8.
>
> Can someone please help me with how to close this hole as well?
>
> Some background:
> my kernel is 2.4.18 (with Mandrake 8.2)
> I'm new to Linux/GNU in general and security in particular.
>
> Thanks
> Nikolai

RE: ipchains help

[Williams, Larry]

I use iptables with a 2.4.x kernel, but I believe you're looking for

-A input -p ICMP -j DENY


-Original Message-
From: Nikolai 
Sent: Friday, September 20, 2002 11:17
To: [EMAIL PROTECTED]
Subject: ipchains help



I have setup the following rules for my ipchains:

:input ACCEPT
:forward DENY
:output ACCEPT

-A input -j DENY -p all -l -s 127.0.0.0/8 -i eth0 -d 0.0.0.0/0
-A input -i eth0 -s 0/0 -d 0/0 -p tcp -y -j DENY -l

I did an online-based scan at scan.sygate.com and everything appears to
be 'blocked' except ICMP service on port 8.

Can someone please help me with how to close this hole as well?

Some background:
my kernel is 2.4.18 (with Mandrake 8.2)
I'm new to Linux/GNU in general and security in particular.

Thanks
Nikolai

Re: ipchains help

[Mike Arnold]

On Friday 20 Sep 2002 1:05 am, Nikolai wrote:
> I have setup the following rules for my ipchains:
> :input ACCEPT
> :forward DENY
> :output ACCEPT

I like to do 

:input DENY
:forward DENY
:output DENY

and then add rules for legitimate traffic, but pros and cons have been 
discussed before I'm sure. 

> -A input -j DENY -p all -l -s 127.0.0.0/8 -i eth0 -d 0.0.0.0/0

DENY everything from 127* address range on ALL protocols

> -A input -i eth0 -s 0/0 -d 0/0 -p tcp -y -j DENY -l

DENY everything on eth0 for tcp protocol.

I can see no rule to DENY ICMP on eth0 for any IP address.

> I did an online-based scan at scan.sygate.com and everything appears to
> be 'blocked' except ICMP service on port 8.

-A input -i eth0 -s 0/0 -d 0/0 -p icmp -l -j DENY 

I think.

You might also want to add

-A input -i eth0 -s 0/0 -d 0/0 -p udp -l -j DENY 

to block UDP protocols connections. I'm assuming your eth0 interface doesn't 
have a 127.0.0.0/24 address - that is the loopback normally.

Mike

-- 
___
 "In their capacity as a tool, computers will be but a ripple on the 
   surface of our culture. In their capacity as intellectual challenge, 
   they are without precedent in the cultural history of mankind." 
Edsger Wybe Dijkstra on Computers

RE: ipchains and bridging

[Chris Santerre]

Thanks to all. This was the biggy. It is actually REALLY simple. 
http://bridge.sourceforge.net/docs/bridge-firewall-ipchains.html
Basically says use rules on the 'bridge' interface, not ethX interface.
D'oh!

-Original Message-
From: Ulrich Keil [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 08, 2002 5:29 PM
To: Security-Basics (E-mail)
Subject: Re: ipchains and bridging


On Mon, Jul 08, 2002 at 10:11:44AM -0400, Chris Santerre wrote:
> I have a firewall I have been working on. 3 NICs. I have real IP addresses
> for the outside NIC, DMZ NIC, and servers in the DMZ. I used bridging to
get
> packets from the internet to the servers in the DMZ. Here is the problem.
> Bridging seems to be at a lower level then packet filtering. I can't
filter
> anything coming IN to the DMZ, only out. It works, and stops everything,
but
> it is NOT the best setup at all!!! I am well aware of ways to attempt to
> comprimise the servers in the DMZ. A DOS or ping of death could work
easily.
> Any thoughts on how to go about fixing this, or have I doomed myself using
> bridging?

Linux BRIDGE-STP-HOWTO:

http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/rules-on-bridging.html

Section 4:

"-A bridge knows nothing about higher protocols than ARP"

Means: It is normally not possible to filter packets on a bridge ... but ...

There is a patch available to make ipchains/iptables work on a bridge

http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/advanced-bridge.html#IPCHAINS
http://bridge.sourceforge.net/download.html

> Should I have virtually hosted the WEB and EMAIL server on the outside NIC
> of the firewall, and ipportfwd them to DMZ machines on a 192.x.x.x
network?

I prefer this option, because you normally don't have any advantages
using a bridge against using NAT.

Ulrich
-- 
http://www.der-keiler.de
PGP Fingerprint: 5FA4 4C01 8D92 A906 E831  CAF1 3F51 8F47 1233 9AAD
Public key available at http://www.der-keiler.de/uk/pgp-key.asc

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCS d- s-:- a-- C++ UL+++ P++ L+++ E--- W+++ N++ o- K- w--
O- M- V- PS PE Y+ PGP++ t+ 5 X R tv b+ DI- D++
G e h-- r++ y+
--END GEEK CODE BLOCK--

Re: ipchains and bridging

[Ulrich Keil]

On Mon, Jul 08, 2002 at 10:11:44AM -0400, Chris Santerre wrote:
> I have a firewall I have been working on. 3 NICs. I have real IP addresses
> for the outside NIC, DMZ NIC, and servers in the DMZ. I used bridging to get
> packets from the internet to the servers in the DMZ. Here is the problem.
> Bridging seems to be at a lower level then packet filtering. I can't filter
> anything coming IN to the DMZ, only out. It works, and stops everything, but
> it is NOT the best setup at all!!! I am well aware of ways to attempt to
> comprimise the servers in the DMZ. A DOS or ping of death could work easily.
> Any thoughts on how to go about fixing this, or have I doomed myself using
> bridging?

Linux BRIDGE-STP-HOWTO:

http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/rules-on-bridging.html

Section 4:

"-A bridge knows nothing about higher protocols than ARP"

Means: It is normally not possible to filter packets on a bridge ... but ...

There is a patch available to make ipchains/iptables work on a bridge

http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/advanced-bridge.html#IPCHAINS
http://bridge.sourceforge.net/download.html

> Should I have virtually hosted the WEB and EMAIL server on the outside NIC
> of the firewall, and ipportfwd them to DMZ machines on a 192.x.x.x network?

I prefer this option, because you normally don't have any advantages
using a bridge against using NAT.

Ulrich
-- 
http://www.der-keiler.de
PGP Fingerprint: 5FA4 4C01 8D92 A906 E831  CAF1 3F51 8F47 1233 9AAD
Public key available at http://www.der-keiler.de/uk/pgp-key.asc

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCS d- s-:- a-- C++ UL+++ P++ L+++ E--- W+++ N++ o- K- w--
O- M- V- PS PE Y+ PGP++ t+ 5 X R tv b+ DI- D++
G e h-- r++ y+
--END GEEK CODE BLOCK--



msg07861/pgp0.pgp
Description: PGP signature

Re: ipchains and bridging

[Chris Berry]

In-Reply-To: <[EMAIL PROTECTED]>

>I have a firewall I have been working on. 3 NICs. I have real IP addresses
>for the outside NIC, DMZ NIC, and servers in the DMZ. I used bridging to 
>get packets from the internet to the servers in the DMZ. Here is the 
>problem.  Bridging seems to be at a lower level then packet filtering.

Ok, your basic problem is that bridging occurs at Layer 2 using MAC 
addresses and frames (NOT PACKETS).  You either need to use a router, or a 
Layer 3 switch.  Your bridge can't even see the IP addresses of your 
packets because it operates at the wrong layer.  In case you didn't know, 
a switch is basically just a multi-port bridge (mostly).  Your question 
seems a little confused hope this was what you were looking for.

Re: -Ipchains, iptables question

[Phil Sheldon]

Hi,

Check out the link below to the monmotha firewall script, works a treat.

http://monmotha.mplug.org/


On Wednesday 13 Mar 2002 5:31 pm, Sistemas Bipolar S.R.L. wrote:
> Hello all,
>
> I´am looking for some information about how to configure ipchains and
> iptables in Linux. ¿Can anyone recommend me some site to download some
> information about ?
>
> Thanks,
>
> Csar

-- 
This message is intended only for the addressee and may contain 
confidential information.  Unless you are that person, you may not 
disclose its contents or use it in any way and are requested to delete 
the message along with any attachments and notify us immediately. 

"Transact" is operated by Integrated Financial Arrangements plc 
Domain House, 5-7 Singer Street, London  EC2A 4BQ 
Tel: (020) 7608 4949 Fax: (020) 7608 1200 
Integrated Financial Arrangements plc is regulated by the FSA

Re: -Ipchains, iptables question

[Teodor Cimpoesu]

Hi Sistemas!
On Wed, 13 Mar 2002, Sistemas Bipolar S.R.L. wrote:

> Hello all,
> 
> I´am looking for some information about how to configure ipchains and
> iptables in Linux. ¿Can anyone recommend me some site to download some
> information about ?
> 
http://netfilter.samba.org/
Read the HOWTOs and unreliable-guides (they are said so, but are reliable ;)

gl,

-- 
Teodor CIMPOESU 
Software Developer, GeCAD Software 
http://www.gecadsoftware.com, http://www.ravantivirus.com

http://www.cimpoesu.ro/teodor/pk.asc | or blank mail to [EMAIL PROTECTED] 
KEYID:0xB0BD3699 FP:D6C4 00EB 811A B06E A657  CCE9 2A63 94F9 B0BD 3699

Re: -Ipchains, iptables question

[Mariano]

"Sistemas Bipolar S.R.L." wrote:

> Hello all,
>
> I´am looking for some information about how to configure ipchains and
> iptables in Linux. ¿Can anyone recommend me some site to download some
> information about ?
>
> Thanks,
>
> Csa

Hi,  http://netfilter.samba.org/ is a good site for what you are looking for.

Bye.

---
Mariano Gabriel Consoni[EMAIL PROTECTED]

---

Re: -Ipchains, iptables question

[Lim Ghee Lam]

Hi,

Try www.linuxdoc.org

LIM GHEE LAM

- Original Message -
From: "Sistemas Bipolar S.R.L." <[EMAIL PROTECTED]>
To: "seguridad-Security-Basics" <[EMAIL PROTECTED]>
Sent: Thursday, March 14, 2002 1:31 AM
Subject: -Ipchains, iptables question


> Hello all,
>
> I´am looking for some information about how to configure ipchains and
> iptables in Linux. ¿Can anyone recommend me some site to download some
> information about ?
>
> Thanks,
>
> Csar
>
>

Re: -Ipchains, iptables question

[durga prasad - datasoft]

goto Linuxdoc.org
and serach in howto's
regards
durga prasad


- Original Message -
From: "Sistemas Bipolar S.R.L." <[EMAIL PROTECTED]>
To: "seguridad-Security-Basics" <[EMAIL PROTECTED]>
Sent: Wednesday, March 13, 2002 11:01 PM
Subject: -Ipchains, iptables question


| Hello all,
|
| I´am looking for some information about how to configure ipchains and
| iptables in Linux. ¿Can anyone recommend me some site to download some
| information about ?
|
| Thanks,
|
| Csar
|
|

Re: -Ipchains, iptables question

[Florian Hobelsberger / BlueScreen]

Have you ever had a look at a search engine ?

The ipchains HOWTO:

http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html

The iptables HOWTO:

http://www.linuxguruz.org/iptables/howto/iptables-HOWTO.html



If you need futher information, you should specify what kind of information
exactly you need.

---
BlueScreen / Florian Hobelsberger (UIN: 101782087)
Member of:
www.IT-Checkpoint.net
www.Hackeinsteiger.de
www.NGSecurity.de
www.DvLdW.de.vu

Für Fragen im Bereich Datensicherheit wenden Sie sich bitte an:
www.Hackeinsteiger-Board.de
www.Securitypoint-board.de.vu

==
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed.
Forwarding this E-Mail or parts of information out of it is strictly
forbidden -
legal actions may be taken.

If you are not the intended recipient or the person responsible for
delivering to the intended recipient, be advised that you have received
this email in error and that any use of the information contained within
this email or attachments is strictly prohibited.

Internet communications are not secure and BlueScreen/Florian Hobelsberger
does not accept
any legal responsibility for the content of this message. Any opinions
expressed in the email are those of the individual and not necessarily
those of the Company.

If you have received this email in error, or if you are concerned with
the content of this email please notify the Sender by telephone
on +49 (0)162 337 98 40.
==

To encrypt classified messages, please use this PGP-Key:

-BEGIN PGP PUBLIC KEY BLOCK-


mQGiBDoSjNYRBADwxmFyGCYJVVwoYx6jh69D7Kbu5vLmLGz4LqW7ukFa5YhsdQ2g
hqw7iH4FL7UXSyvnQR2O+avrZtn6JgiLr9YvEBuGR4KwmNHzNAdWt1ftPqL/4932
K20XOfzewatJf23gpzpxQ6q7qqN0XKW9zvmBpJqNNosOBbj/Q4257Dao1QCg/9lI
77kKxR9HkiFnFWstiQ/tfOUD/jLogwExYHYYhqKoLG7Pgv+K1+64LXHrwiU53udP
PyIBLMx+/nD11dT9GcgH8BKqqYNIewBtTUfe4TzNqdmyOHkGzSk/uWagopXVAWYe
lwrFjHSbL5Hgkyuxu26O5UzJeIM74X2lTpXMS2Xeas5/9OGCEZEcrgLzcpwup/Ww
L4jCA/9ScTZ7hJlLAF8SsmKtG06UpTLhbHj2JHLYpuS9okcW+tf7KIoc1BytqJyX
VwTB3dCZQHzlCBd515k/9n+G2IWmUhh4FWyIOcf9pUPvrrxg6cUMs2C9p5pan0dW
huCCXtqOo/ii8QShwJ1Z2QgclNqa7NU9zKWKLAvdEhlzCtofBLRELT1CbHVlU2Ny
ZWVuPS0gLyBGbG9yaWFuIEhvYmVsc2JlcmdlciAoMjkuMTEuMjAwMSkgPE11bmlj
aEFDQGdteC5kZT6JAFgEEBECABgFAjoSjNYICwMJCAcCAQoCGQEFGwMACgkQ
lZAUaM5lFc7p+QCgwueO8h1r+tePys2abqKrpYTJNTcAmwcgd0zQ5pS9pWf6qqIs
WlET5qgluQQNBDoSjNYQEAD5GKB+WgZhekOQldwFbIeG7GHszUUfDtjgo3nGydx6
C6zkP+NGlLYwSlPXfAIWSIC1FeUpmamfB3TT/+OhxZYgTphluNgN7hBdq7YXHFHY
UMoiV0MpvpXoVis4eFwL2/hMTdXjqkbM+84X6CqdFGHjhKlP0YOEqHm274+nQ0YI
xswdd1ckOErixPDojhNnl06SE2H22+slDhf99pj3yHx5sHIdOHX79sFzxIMRJitD
YMPj6NYK/aEoJguuqa6zZQ+iAFMBoHzWq6MSHvoPKs4fdIRPyvMX86RA6dfSd7ZC
LQI2wSbLaF6dfJgJCo1+Le3kXXn11JJPmxiO/CqnS3wy9kJXtwh/CBdyorrWqULz
Bej5UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHT
UPj1WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq
01uejaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O
9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcK
ctaGxAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6z3W
FwACAhAAyeDU/CZegfCp3VmSKfIorYKjbtvSpriZ3KMmD9Qp9GlxwxJOQWUuqtPT
WMJnBwXgYKW34jvSw5gDBByOrzHyqolaKvqjG6QXenWcAt2Z5KkIUEFBHrFxUSr4
gwCexwLW1NxGILE6j4O1ZpWj5BJQTqZZpJzJarnzv2cXof0VK8SJodEEu21VHzxP
yvU2FTmwsPU5fs+6mppkPdZgb0cqmNTVqak0xyfZzPd4lLOEZIuauOoruTE0a6XV
AEx/ns5uY/U16FNq1WNaeJIulGZZNLT5DXwpGPqxm05XRineI8U2mgw+1KVGOnXM
1YfFAIjkpwy9zjjT752m3KNLe3wiWjF+SeH9USCm9KtQZHYQn6jB1hY67rKT2m8p
G1qBdbb2sZJCJRlROCe4W/vxevRe7TGdYaNy/hvV7i4OMl/pmeRnKqTpdLLP0Nah
2Cqa7+ddKdwdVtGxzowqKtQOzLF3wnXoixHtKtK8AG2gEa74rsuUamt6alnkFxKQ
SsaufCEa6aw/ttJHSEX9HHsbsJ+nmp2RRB+K8Eawln2LZliMb9xnZa3OGMwvkJCU
ZyGurrezM8MKGID5PsvV0z/jXP4yhy+Y0szYks2xbq6yAxa86D3LH/AC++l1tV6s
iw49duIvnFrlTPzY5qF8P0ywxVbSnXHl+TrVPUsWV8Z4L0mPA4uJAEwEGBECAAwF
AjoSjNYFGwwACgkQlZAUaM5lFc537wCgrEO460bbrm220zd9Mn9Nv/IB9LcA
oNeYVeRb2JfeQJkMwu7bfaCqEuoz
=Vkyz
-END PGP PUBLIC KEY BLOCK-

- Original Message -
From: "Sistemas Bipolar S.R.L." <[EMAIL PROTECTED]>
To: "seguridad-Security-Basics" <[EMAIL PROTECTED]>
Sent: Wednesday, March 13, 2002 6:31 PM
Subject: -Ipchains, iptables question


> Hello all,
>
> I´am looking for some information about how to configure ipchains and
> iptables in Linux. ¿Can anyone recommend me some site to download some
> information about ?
>
> Thanks,
>
> Csar
>
>

Re: IPChains PortFowarding

[Garryck Osborne]

>
> - Original message follows -

> >
> >IPChains does not do port forwarding.
>
> Ipchains does the port forwarding, but to the same machine, if you agree
to
> use the concept of redirecting. It does not forward to some other machine.
>

Ok, this has been a very interesting thread, and I've followed it closely..
I have a related question, if I may..

I'm running a Frazierwall NAT/router for my home network firewall.  I've
gotten the firewall rules fairly well worked out, but have only just run
into the need for port forwarding.  I worked my way through the various
HOWTO's and have got it straight in my head, and more to the point, working,
but I came up against a situation I hadn't anticipated.

The firewall (based on the LRP) is running a 2.2.18 kernel, and hence
ipchains...   so, I used ipmasqadm to handle the port forwarding.  The
downside of this is that the IP address forwarded to must be fixed, and
cannot use DHCP as the rest of the machines on the network do.

My question is this:-  Is there any method now available which will permit
port forwarding to a host with a dynamically assigned IP address?


Garryck

Re: IPChains PortFowarding

[Mike Fetherston]

> >IPChains does not do port forwarding.
>
> Ipchains does the port forwarding, but to the same machine, if you agree
to
> use the concept of redirecting. It does not forward to some other machine.

Since firewalls are most times in front of an entrie LAN, IPChains would not
do portfowarding in that particular sense.  I see where you're coming from,
that IPChains forwards on the local box, but I believe the original poster's
question was more about Port Redirecting.

Mike Fetherston.

Re: IPChains PortFowarding

[Edilson Osorio Junior]

- Original message follows -

> If you really know what you're doing you could convert your script ahead
of>
>time, build your kernel for IPTables support, cross your fingers and
reboot.
>If not, get a spare box and test your new script.  Follow my first
statement
>ignoring the crossing of the fingers. :)

I think it too. It could be better if you really do it by yourself... These
kind of engines to automate all processes dont work perfectly (on most).


>
>I'm sure that there are a few IPChains -> IPTables conversion scripts that
>can be found at freshmeat.net, but I have not tried any and can't give you
>any direction in that manner.  I wouldn't fully trust the conversion
either.
>
>IPChains does not do port forwarding.

Ipchains does the port forwarding, but to the same machine, if you agree to
use the concept of redirecting. It does not forward to some other machine.


>
>Mike Fetherston.




Cheers
___
Edilson Osorio Junior
4Solutions Informática
Divisão NetHawk - Consultoria e Segurança de Redes

Re: IPChains PortFowarding

[Teodor Cimpoesu]

Hi rsavage!
On Thu, 28 Feb 2002, [EMAIL PROTECTED] wrote:

> Yeah - that's what I figured.  Do you know (or anyone esle) know of a good
> IPChains -to-> IPTables converter script?  Something sombody might have
> already tried?
> 
If you want to avoid downtime why don't you just hand the ipchains rules to
a security specialist who knowns both of them with sensitive informations
removed (real ip to $EXTERNAL_IP and the like).

You can have a 2.4 kernel support both ipchains and iptables (but one at a
time). Now you can try the translated rules w/ minimum downtime or you may set
up a different box w/ same configuration.

FWIW, iptables is much `smarter' than ipchains, just don't use irc helper
module ;) [kidding based on some rumors] and is worth upgrading to.

-- 
Teodor Cimpoesu
Software Developer, GeCAD Software 

phone/fax: +40 1 321 78 03
http://www.gecadsoftware.com 
http://www.ravantivirus.com

Re: IPChains PortFowarding

[Mike Fetherston]

If you really know what you're doing you could convert your script ahead of
time, build your kernel for IPTables support, cross your fingers and reboot.
If not, get a spare box and test your new script.  Follow my first statement
ignoring the crossing of the fingers. :)

I'm sure that there are a few IPChains -> IPTables conversion scripts that
can be found at freshmeat.net, but I have not tried any and can't give you
any direction in that manner.  I wouldn't fully trust the conversion either.

IPChains does not do port forwarding.

Mike Fetherston.

- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 25, 2002 12:57 PM
Subject: IPChains PortFowarding


> All,
>
> Is it possible to do port-fowarding with ipchains, rather than using
> ipmasqadm, or ipportfw?  I have a firewall running linux 2.4.x kernel, and
> don't want to switch to iptables unless I have to.
>
> ipchains works just fine, but switching to iptables would require too much
> downtime.  Unless there is a rc.firewall converter app?
>
> Thanks,
>
> --
> Rory Savage
>
>

Re: IPChains PortFowarding

[dewt]

On Monday 25 February 2002 11:57 am, [EMAIL PROTECTED] wrote:
> All,
>
> Is it possible to do port-fowarding with ipchains, rather than using
> ipmasqadm, or ipportfw?  I have a firewall running linux 2.4.x kernel, and
> don't want to switch to iptables unless I have to.
no, you should really move onto iptables though 
> ipchains works just fine, but switching to iptables would require too much
> downtime.  Unless there is a rc.firewall converter app?
> Thanks,
not that i know of but there are some nice iptables rules at 
http://www.securityfocus.com/cgi-bin/unix_topics.pl?topic=fwrules 

Re: IPChains PortFowarding

[Rodrigo Barbosa]

On Mon, Feb 25, 2002 at 12:57:58PM -0500, [EMAIL PROTECTED] wrote:
> Is it possible to do port-fowarding with ipchains, rather than using
> ipmasqadm, or ipportfw?  I have a firewall running linux 2.4.x kernel, and
> don't want to switch to iptables unless I have to.

No, there is no way to do that with ipchains. You can try rinetd, if you
really don't want to change.

> ipchains works just fine, but switching to iptables would require too much
> downtime.  Unless there is a rc.firewall converter app?

I have seen some of these around, but never tested one.

-- 
 Rodrigo Barbosa   - rodrigob at tisbrasil.com.br
 TIS   - Belo Horizonte, MG, Brazil
 "Quis custodiet ipsos custodes?"  - http://www.tisbrasil.com.br/
 Brainbench Certified -> Transcript ID #3332104

Re: ipchains

[Laurent Delpierre]

INTERFACE_INTERNET="eth1"
LOCALNET="10.1.1.2/24"

echo 1 > /proc/sys/net/ipv4/ip_forward
ipchains -A forward -i $INTERFACE_INTERNET -s $LOCALNET -j MASQ

try http://www.linux-firewall-tools.com/linux/firewall/index.html


- Original Message - 
From: "M. Wolffensperger" <[EMAIL PROTECTED]>
To: "Christopher Astbury" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, January 17, 2002 12:07 AM
Subject: ipchains


> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> I have a problem with Redhat linux 7.2.
> I have installed ipchains now I want to create some chains so that
> the client machines can use the linuxbox as a router  I did the
> following.
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> So far no problem
> 
> Than I want to add a chain as followd.
> ipchains -A forward -s 10.1.1.2/24 -d 0.0.0.0/0 -j MASQ
> 
> But than I got the following error 
> ipchains: protocol unknown 
> 
> 
> Met vriendelijke groet, 
>  
> Martijn Wolffensperger 
>  
> Networking Expertise Holland 
> Pachter 16 
> 3834 CE Leusden 
> Telefoon 033 - 4343075 
> Fax 033 - 4343080 
>  
> - --
> - 
> This message and any attachment is intended only for use by the
> address. 
> It may contain confidential or privileged information. If you are not
> the intended recipient you must not copy this message or attachment
> or 
> disclose the contents to any other person. If you are not the
> intended
> recipient, please email the sender and delete this message and any
> attachment 
> from your system. 
> - --
> - --
> 
> -BEGIN PGP SIGNATURE-
> Version: PGP 7.1
> 
> iQA/AwUBPEYHsulnuh0EsWxuEQJZxgCcC6tK5Jv23sG1Qrj+Pr+7iw5x6P0AoIGW
> NjCkvnz8q2AmB8kTHcoJ1RSz
> =uKmP
> -END PGP SIGNATURE-

Re: ipchains

[Patrick Benson]

"M. Wolffensperger" wrote:
> 
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> I have a problem with Redhat linux 7.2.
> I have installed ipchains now I want to create some chains so that
> the client machines can use the linuxbox as a router  I did the
> following.
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> So far no problem
> 
> Than I want to add a chain as followd.
> ipchains -A forward -s 10.1.1.2/24 -d 0.0.0.0/0 -j MASQ
> 
> But than I got the following error
> ipchains: protocol unknown

If you type uname -a you'll see if it's a 2.2.x or 2.4.x based kernel.
Chances are it's a 2.4.x kernel with iptables + netfilter enabled.
Ipchains will not work with those running on your system, even if you
have just installed ipchains. You will need to re-compile a kernel,
preferably with ipchains and iptables as modules, and you load one of
those when you boot your machine. The advantage of compiling both as
modules is that you can test both methods of packet filtering without
re-compiling more kernels..


-- 
Patrick Benson
Stockholm, Sweden

Re: ipchains & iptables together???

[Rodrigo Barbosa]

On Wed, Jan 02, 2002 at 10:11:28AM -0800, Octavio / Super wrote:
> Almost everybody answered "no" already. :)
> 
> As a firewall, you should definitely go with iptables. As a NAT, it depends on your 
>needs, because there are still a lot of modules for ipchains, and (AFAIK) only the 
>FTP is ported to iptables.

That is not quite right.
IPTABLES use a module called conntrack, which by itself should solve most
of your NAT needed without special tweakies, like ipchains needed.

[]s

-- 
 Rodrigo Barbosa   - rodrigob at tisbrasil.com.br
 TIS   - Belo Horizonte, MG, Brazil
 "Quis custodiet ipsos custodiet?" - http://www.tisbrasil.com.br/

Re: ipchains & iptables together???

[Dan]

If you have both of them starting on boot, only IPCHAINS will 
start.IPTABLES will be disabled...plus there is no benefit 
running both of them..just tighten up one or the otherI use 
iptables and SHOREWALL or check out SEAWALL for ipchains.



At 05:42 PM 12/30/2001 -0600, you wrote:
>On Friday 28 December 2001 09:38 am, Shinta H Leagazpi wrote:
> > can I use both ipchains and iptables at the same time???
> >
>no

Re: ipchains & iptables together???

[TD - Sales International Holland B.V.]

On Sunday 30 December 2001 18:06, Michael Gegerfelt stuffed this into my 
mailbox:

Ofcourse iptables would be the better one. It has a more thorough knowledge 
of connections and keeps track of them. There should be some other advantages 
but I don't know which :-). Anyways, ipchains is a stateless firewall where 
as iptables is stateful. Besides that. iptables has a load more options 
which can protect you from floods n stuff...

regards


> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> I would like to add to that question. I don't believe that you can
> use both of them at the same time because it is two different types
> of firewalls. However, my question is which of them is the better one
> to use? Is there any drawbacks by using one or the other?
>
>
> .:: michael . gegerfelt ::.
> [EMAIL PROTECTED]
> icq: 14968813
>
>all email is scanned by norton anti-virus
>
> - -Original Message-
> From: Shinta H Leagazpi [mailto:[EMAIL PROTECTED]]
> Sent: Friday, December 28, 2001 4:38 PM
> To: sec
> Subject: ipchains & iptables together???
>
>
> can I use both ipchains and iptables at the same time???
>
> __
> www.edsamail.com
>
> -BEGIN PGP SIGNATURE-
> Version: PGP 7.0.4
>
> iQA/AwUBPC9JfvV0lMzdeaPlEQKgxQCeJyuYQ7ieTjkk1NgmzJyx0+RJPa8An3YC
> lyHTaOR0uTG09uiRFCOLpEHn
> =4za2
> -END PGP SIGNATURE-

RE: ipchains & iptables together???

[Octavio / Super]

Almost everybody answered "no" already. :)

As a firewall, you should definitely go with iptables. As a NAT, it depends on your 
needs, because there are still a lot of modules for ipchains, and (AFAIK) only the FTP 
is ported to iptables.

Octavio.

At 06:06 p.m. 30/12/2001 +0100, you wrote:
> 
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA1
>
>I would like to add to that question. I don't believe that you can
>use both of them at the same time because it is two different types
>of firewalls. However, my question is which of them is the better one
>to use? Is there any drawbacks by using one or the other?
>
> 
>.:: michael . gegerfelt ::.
>[EMAIL PROTECTED]
>icq: 14968813
> 
>   all email is scanned by norton anti-virus
>
>- -Original Message-
>From: Shinta H Leagazpi [mailto:[EMAIL PROTECTED]] 
>Sent: Friday, December 28, 2001 4:38 PM
>To: sec
>Subject: ipchains & iptables together???
>
>
>can I use both ipchains and iptables at the same time??? 
>
>__
>www.edsamail.com
>
>-BEGIN PGP SIGNATURE-
>Version: PGP 7.0.4
>
>iQA/AwUBPC9JfvV0lMzdeaPlEQKgxQCeJyuYQ7ieTjkk1NgmzJyx0+RJPa8An3YC
>lyHTaOR0uTG09uiRFCOLpEHn
>=4za2
>-END PGP SIGNATURE-

RE: ipchains & iptables together???

[Gaziel, Avishay]

 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,
both can not be compiled into the same kernel (I mean, technically
possible but why doing that?)
I would go with the one easiest to learn.There is nothing worse than
a misconfugured FW.and a simple but effective rule base is essential.
if you are a beginner with FW than I personally reccomend IpFilter.


Gaziel Avishay, 
Information Risk Management
KPMG Somekh-Chaikin
Tel-972-3-6848606/591


- -Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: ?? 31 ? 2001 19:40?
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: ipchains & iptables together???


 
- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

why would you want to?

I'd recommend going with iptables...


/*
 * Woody Hughes
 * Sr. Info Security Analyst
 * Security Products Services
 * Corporate Information Protection Division
 * 
 * [EMAIL PROTECTED]
 * Phone: 415.243.5846
 * Fax: 415.975.7468
 * Cell: 925.784.1230
 */

- - -Original Message-
From: Shinta H Leagazpi [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 28, 2001 7:38 AM
To: sec
Subject: ipchains & iptables together???


can I use both ipchains and iptables at the same time??? 

__
www.edsamail.com

- -BEGIN PGP SIGNATURE-
Version: PGP 7.0.4

iQA/AwUBPDCi7BuWMfODQZohEQKtPgCfWTnSbg0B0buFjaAj9PKbErLF0a0An3dk
alWfnuszE2ntS1NhXEC9/1ev
=sh7e
- -END PGP SIGNATURE-

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPDNA/QjeLFovKNOzEQLaeACdF21MFnMSFe5WuHEvZgVYuIlA1Z0AoKLW
ZLEhaiCB01KnnUmcK6hmWL86
=mNjk
-END PGP SIGNATURE-
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*

Re: ipchains & iptables together???

[Rodrigo Barbosa]

On Sun, Dec 30, 2001 at 06:06:06PM +0100, Michael Gegerfelt wrote:
> I would like to add to that question. I don't believe that you can
> use both of them at the same time because it is two different types
> of firewalls. However, my question is which of them is the better one
> to use? Is there any drawbacks by using one or the other?

Well, I may be a little off on this, so please correct me if I'm wrong.
All I'm writing is based on a presentation I watched with one of the
Netfilter developers (Harald).

If you are using Linux Kernel 2.4, it doesn't matter if you are using
ipchains or iptables. What you are really using is the Netfilter code.
The ipchains and iptables codes are just hooks on the Netfilter code.
So, although the command syntax is the same, the ipchains code changed.

Keeping that in mind, you notice that ipchains only have 3 hooks, while
iptables has 6 hooks (3 on the regular table, and 3 on the nat table).
You have also to consider that iptables provides statefull packet inspection.

All in all, iptables will provide you will a much better interface to
the Netfilter code. And if you are worried about some bug in the code,
just keep in mind that the code is the same. You only use different hooks.
So a bug in the code would affect both interfaces.

All that said, you should definitily use iptables.

-- 
 Rodrigo Barbosa   - rodrigob at tisbrasil.com.br
 TIS   - Belo Horizonte, MG, Brazil
 "Quis custodiet ipsos custodiet?" - http://www.tisbrasil.com.br/

Re: ipchains & iptables together???

[Lim Ghee Lam]

Hi,

I don't think so.. either you use iptables or ipchains..If you build the 
kernel for 2.4.X, you have the option of either using iptables or ipchains 
sytle...

I don't think 2.2.X have support for iptables. Still I might be wrong..:-).

Happy New Year

Regards

LIM GHEE LAM

Re: ipchains & iptables together???

[dewt]

On Friday 28 December 2001 09:38 am, Shinta H Leagazpi wrote:
> can I use both ipchains and iptables at the same time???
>
no

RE: ipchains & iptables together???

[Woody . Hughes]

 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

why would you want to?

I'd recommend going with iptables...


/*
 * Woody Hughes
 * Sr. Info Security Analyst
 * Security Products Services
 * Corporate Information Protection Division
 * 
 * [EMAIL PROTECTED]
 * Phone: 415.243.5846
 * Fax: 415.975.7468
 * Cell: 925.784.1230
 */

- -Original Message-
From: Shinta H Leagazpi [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 28, 2001 7:38 AM
To: sec
Subject: ipchains & iptables together???


can I use both ipchains and iptables at the same time??? 

__
www.edsamail.com

-BEGIN PGP SIGNATURE-
Version: PGP 7.0.4

iQA/AwUBPDCi7BuWMfODQZohEQKtPgCfWTnSbg0B0buFjaAj9PKbErLF0a0An3dk
alWfnuszE2ntS1NhXEC9/1ev
=sh7e
-END PGP SIGNATURE-

Re: ipchains & iptables together???

[Zeshan Ghory]

On Fri, Dec 28, 2001 at 11:38:21PM +0800, Shinta H Leagazpi ([EMAIL PROTECTED]) 
wrote:

> can I use both ipchains and iptables at the same time??? 

No. They are mutually exclusive.


Zeshan

Re: ipchains & iptables together???

[David Correa]

On Fri, 28 Dec 2001, Shinta H Leagazpi wrote:
> can I use both ipchains and iptables at the same time???

Shinta,

You can not. You will have to remove the ipchains
module before you can use iptables.

iptables requires a 2.4.X kernel.
iptables/netfilter is a more advanced code

These are  some URLs for your reference

http://netfilter.samba.org/
http://www.linux-tech.com/iptables-tutorial.html
http://www.cs.princeton.edu/~jns/security/iptables/

::dc::

David Correa RHCE CCNA
http://www.linux-tech.com

RE: ipchains & iptables together???

[Michael Gegerfelt]

 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I would like to add to that question. I don't believe that you can
use both of them at the same time because it is two different types
of firewalls. However, my question is which of them is the better one
to use? Is there any drawbacks by using one or the other?

 
.:: michael . gegerfelt ::.
[EMAIL PROTECTED]
icq: 14968813
 
   all email is scanned by norton anti-virus

- -Original Message-
From: Shinta H Leagazpi [mailto:[EMAIL PROTECTED]] 
Sent: Friday, December 28, 2001 4:38 PM
To: sec
Subject: ipchains & iptables together???


can I use both ipchains and iptables at the same time??? 

__
www.edsamail.com

-BEGIN PGP SIGNATURE-
Version: PGP 7.0.4

iQA/AwUBPC9JfvV0lMzdeaPlEQKgxQCeJyuYQ7ieTjkk1NgmzJyx0+RJPa8An3YC
lyHTaOR0uTG09uiRFCOLpEHn
=4za2
-END PGP SIGNATURE-

RE: ipchains

[Dustin Puryear]

Are you using OpenSSH? If so, you can disable host lookups. I'm not so sure
about commercial SSH.

Anyway, I ran into this problem when servers in our DMZ were taking forever
to log into because they were trying to lookup addresses for our internal
hosts, which naturally wasn't working. We could have setup /etc/hosts on
them, but then we would have provided a map of our internal network in the
DMZ. Instead, we just turned off the lookups altogether.

Regards, Dustin

> -Original Message-
> From: aman [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, November 27, 2001 11:30 AM
> To: Slava Bouttchenko
> Cc: [EMAIL PROTECTED]
> Subject: Re: ipchains
>
>
> True. The speed is better when I made the entry in the /etc/hosts file.
> The connection is quick when I remove firewall, though we should
> expect DNS
> lookup then too.
> Suggestions?
> Aman
>
> - Original Message -
> From: "Slava Bouttchenko" <[EMAIL PROTECTED]>
>
> > i have seen sshd working slow on oppening connection because it requires
> > DNS resolution for specific host. look into this.
> >
> > slava
>

Re: ipchains

[Liam Reimers]

Aman,

Try opening up port 53 UDP so DNS requests can go through. SSH will hang on 
authentication for a long time if nameservices are blocked.

--Liam

At 10:37 AM 11/27/2001 -0600, aman raheja wrote:
>If I drop the firewall, the connection is instant, no time lag.
>Suggestions?
>Aman
>
>>From: "TD - Sales International Holland B.V." <[EMAIL PROTECTED]>
>>To: "aman raheja" <[EMAIL PROTECTED]>
>>Subject: Re: ipchains
>>Date: Tue, 27 Nov 2001 10:48:45 +0100
>>
>>On Saturday 24 November 2001 19:35, you wrote:
>>
>>Might be the DNS look-up. Although I've seen establishing ssh connections 
>>that took a while with hosts that are know to the dns servers. What 
>>happens if you drop the firewall and then connect to it?
>>
>>regards
>>
>> > hi all
>> > i have configured ipchains on my linux 7.1 box.
>> > the 3 rules (in order) do the following
>> > 1> accept src 0.0.0.0/0 port * dst hostA port 22
>> > 2> accept src hostA port 22 dst 0.0.0.0/0 port *
>> > 3> deny src 0.0.0.0/0 port * dst 0.0.0.0/0 port *
>> > I intend to allow ssh on hostA, and deny everything else.
>> > It works but it takes too long for the connection to establish even when =
>> > I
>> > am doing ssh from hostA to hostA itself. I wonder why?
>> > Suggestions?
>> > Aman
>
>_
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


Liam Reimers, Senior Systems Programmer
ULTIMATE Internet Access, Inc.
(909) 482-1634  (800) 982-6898
http://www.uia.net

Re: ipchains

[_]

Aman,

Sounds like your ipchains are the following:

1.) $ipchains -A input -i eth0 -s 0/0 -d $hostA 22 -j ACCEPT
2.) $ipchains -A output -i eth0 -s $hostA 22 -d 0/0 -j ACCEPT
3.) $ipchains -A input -i eth0 -s 0/0 -d 0/0 -j DENY

Am I right?

If so, I would make this modification:

change the second rule to this:

$ipchains -A output -i eth0 -s $hostA -d 0/0 22 -j ACCEPT

The second rule seemed to be anticipating your outgoing process to spawn
from the connection port. (Assuming I properly interpreted what you
wrote.) Your processes should spawn from 1024:65535, so you can just as
easily add that (-s $hostA 1024:65535) 

I would additionally use ssh -v localhost to help troubleshoot the problem.

Hope it helps.

Justin


On Tue, 27 Nov 2001, aman raheja wrote:

> If I drop the firewall, the connection is instant, no time lag.
> Suggestions?
> Aman
> 
> >
> >Might be the DNS look-up. Although I've seen establishing ssh connections 
> >that took a while with hosts that are know to the dns servers. What happens 
> >if you drop the firewall and then connect to it?
> >
> > > hi all
> > > i have configured ipchains on my linux 7.1 box.
> > > the 3 rules (in order) do the following
> > > 1> accept src 0.0.0.0/0 port * dst hostA port 22
> > > 2> accept src hostA port 22 dst 0.0.0.0/0 port *
> > > 3> deny src 0.0.0.0/0 port * dst 0.0.0.0/0 port *
> > > I intend to allow ssh on hostA, and deny everything else.
> > > It works but it takes too long for the connection to establish even when 
> >=
> > > I
> > > am doing ssh from hostA to hostA itself. I wonder why?
> > > Suggestions?

Re: ipchains

[_]

Disregard that email I just sent, didn't notice you were actually getting
a connection, even though it was *slow*.

-- Forwarded message --
Date: Wed, 28 Nov 2001 11:15:29 -0700 (MST)
From: _ <[EMAIL PROTECTED]>
To: aman raheja <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: ipchains

Aman,

Sounds like your ipchains are the following:

1.) $ipchains -A input -i eth0 -s 0/0 -d $hostA 22 -j ACCEPT
2.) $ipchains -A output -i eth0 -s $hostA 22 -d 0/0 -j ACCEPT
3.) $ipchains -A input -i eth0 -s 0/0 -d 0/0 -j DENY

Am I right?

If so, I would make this modification:

change the second rule to this:

$ipchains -A output -i eth0 -s $hostA -d 0/0 22 -j ACCEPT

The second rule seemed to be anticipating your outgoing process to spawn
from the connection port. (Assuming I properly interpreted what you
wrote.) Your processes should spawn from 1024:65535, so you can just as
easily add that (-s $hostA 1024:65535) 

I would additionally use ssh -v localhost to help troubleshoot the problem.

Hope it helps.



On Tue, 27 Nov 2001, aman raheja wrote:

> If I drop the firewall, the connection is instant, no time lag.
> Suggestions?
> Aman
> 
> >
> >Might be the DNS look-up. Although I've seen establishing ssh connections 
> >that took a while with hosts that are know to the dns servers. What happens 
> >if you drop the firewall and then connect to it?
> >
> > > hi all
> > > i have configured ipchains on my linux 7.1 box.
> > > the 3 rules (in order) do the following
> > > 1> accept src 0.0.0.0/0 port * dst hostA port 22
> > > 2> accept src hostA port 22 dst 0.0.0.0/0 port *
> > > 3> deny src 0.0.0.0/0 port * dst 0.0.0.0/0 port *
> > > I intend to allow ssh on hostA, and deny everything else.
> > > It works but it takes too long for the connection to establish even when 
> >=
> > > I
> > > am doing ssh from hostA to hostA itself. I wonder why?
> > > Suggestions?

Re: ipchains

[dewt]

On Saturday 24 November 2001 12:35 pm, aman raheja wrote:
> hi all
> i have configured ipchains on my linux 7.1 box.
> the 3 rules (in order) do the following
> 1> accept src 0.0.0.0/0 port * dst hostA port 22
> 2> accept src hostA port 22 dst 0.0.0.0/0 port *
> 3> deny src 0.0.0.0/0 port * dst 0.0.0.0/0 port *
> I intend to allow ssh on hostA, and deny everything else.
> It works but it takes too long for the connection to establish even when =
> I
> am doing ssh from hostA to hostA itself. I wonder why?
> Suggestions?
> Aman
>
sounds like a name resolution delay, try adding the ip and name of your host 
into the /etc/hosts, or try ssh'ing to 127.0.0.1 or something, if it's fast 
then that's the problem

Re: ipchains

[aman raheja]

Making an entry in the /etc/hosts resolved the reverse DNS look up problem. 
Thanks all for assistance.
Aman


>From: "aman raheja" <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: ipchains
>Date: Sat, 24 Nov 2001 12:35:22 -0600
>
>hi all
>i have configured ipchains on my linux 7.1 box.
>the 3 rules (in order) do the following
>1> accept src 0.0.0.0/0 port * dst hostA port 22
>2> accept src hostA port 22 dst 0.0.0.0/0 port *
>3> deny src 0.0.0.0/0 port * dst 0.0.0.0/0 port *
>I intend to allow ssh on hostA, and deny everything else.
>It works but it takes too long for the connection to establish even when =
>I
>am doing ssh from hostA to hostA itself. I wonder why?
>Suggestions?
>Aman
>
>
>_
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>


_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

Re: ipchains

[aman]

True. The speed is better when I made the entry in the /etc/hosts file.
The connection is quick when I remove firewall, though we should expect DNS
lookup then too.
Suggestions?
Aman

- Original Message -
From: "Slava Bouttchenko" <[EMAIL PROTECTED]>

> i have seen sshd working slow on oppening connection because it requires
> DNS resolution for specific host. look into this.
>
> slava

Re: ipchains

[aman raheja]

If I drop the firewall, the connection is instant, no time lag.
Suggestions?
Aman

>From: "TD - Sales International Holland B.V." <[EMAIL PROTECTED]>
>To: "aman raheja" <[EMAIL PROTECTED]>
>Subject: Re: ipchains
>Date: Tue, 27 Nov 2001 10:48:45 +0100
>
>On Saturday 24 November 2001 19:35, you wrote:
>
>Might be the DNS look-up. Although I've seen establishing ssh connections 
>that took a while with hosts that are know to the dns servers. What happens 
>if you drop the firewall and then connect to it?
>
>regards
>
> > hi all
> > i have configured ipchains on my linux 7.1 box.
> > the 3 rules (in order) do the following
> > 1> accept src 0.0.0.0/0 port * dst hostA port 22
> > 2> accept src hostA port 22 dst 0.0.0.0/0 port *
> > 3> deny src 0.0.0.0/0 port * dst 0.0.0.0/0 port *
> > I intend to allow ssh on hostA, and deny everything else.
> > It works but it takes too long for the connection to establish even when 
>=
> > I
> > am doing ssh from hostA to hostA itself. I wonder why?
> > Suggestions?
> > Aman

_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

Re: ipchains

[Richard Garand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On November 24, 2001 12:35 pm, aman raheja wrote:
> It works but it takes too long for the connection to establish even when =
> I
> am doing ssh from hostA to hostA itself. I wonder why?
> Suggestions?

That generally means that something times out every time you connect - one 
popular problem is DNS (for example, it might be doing a reverse lookup on 
your IP, but doing it in a way that never succeeds, forcing it to time out 
before accepting). I don't know exactly how you would go about finding where 
that's from though.
- -- 
Richard Garand   - r i c h a r d @ g a r a n d n e t . n e t
(L)ICQ: 12190132 - http://www.garandnet.net
"...systems wrongly configured with Microsoft SQL Server software..." -- ZDNet
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8At6ZjuZKnjxs0fMRAqHiAKCIkvDdXVqKt8nb5j4v6g9wBigy8wCaA4iA
6u3NlbsmuQyupM95lRRnmrU=
=HgkA
-END PGP SIGNATURE-

Re: ipchains

[Gonçalo Gomes]

On Sat, 24 Nov 2001, aman raheja wrote:
> hi all
> i have configured ipchains on my linux 7.1 box.
> the 3 rules (in order) do the following
> 1> accept src 0.0.0.0/0 port * dst hostA port 22
> 2> accept src hostA port 22 dst 0.0.0.0/0 port *
> 3> deny src 0.0.0.0/0 port * dst 0.0.0.0/0 port *
> I intend to allow ssh on hostA, and deny everything else.
> It works but it takes too long for the connection to establish even when =
> I
> am doing ssh from hostA to hostA itself. I wonder why?
> Suggestions?
> Aman
>

For minimum delay, add the following line:

/sbin/ipchains -A input -p tcp -d 0/0 22 -t 0x01 0x10

Hope it helps,
-Gonçalo.

Re: IPChains logs

[Baba Bogdan]

Hi
well usualy ipchains logs are stored in /var/log/  but only if you specify
-l at the end of the string.

ex : ipchains -A input -s ip -j DENY -l

i don`t know where ipchains outputs the logs

but what i do on any of my boxes is logg all the stuff like secure, kern,
info in /var/log/messages , I only log the mail stuff in /var/log/maillog


Baba Bogdan


On 8 Nov 2001, Tommy F. wrote:

>
> I am running IPChains with portsentry on mandrake 8.1 and I was trying
> to find the logs for IPChains?  Where would these be stored?  I have
> looked in /var/log but I am not seeing much.  Thanks in advance.
>
> +=+=+=+=+=+=+=+=+=+=+=+=+=+
> Tommy
> www.security-protocols.com
> +=+=+=+=+=+=+=+=+=+=+=+=+=+
>

Re: IPChains logs

[Thomas Zell]

At 18:51 08.11.01, you wrote:

>I am running IPChains with portsentry on mandrake 8.1 and I was trying
>to find the logs for IPChains?  Where would these be stored?  I have
>looked in /var/log but I am not seeing much.  Thanks in advance.
>

As described in the IPCHAINS-HOWTO (chapter 4) logging is triggered with 
the '-l' flag set. Usually the information goes to /var/log/messages as 
defined in /etc/syslog.conf about 'kern.info' messages. There are also some 
utilities available which make reading the log files easier, e. g. 
ipchains2mysql: http://www-user.tu-chemnitz.de/~als/software/ipchains/ (I 
haven't used it, it was just the first thing that google found...)
Bye,
Thomas




http://www.allroy.de/
[EMAIL PROTECTED]

Re: IPChains logs

[dewt]

On Thursday 08 November 2001 11:51 am, Tommy F. wrote:
> I am running IPChains with portsentry on mandrake 8.1 and I was trying
> to find the logs for IPChains?  Where would these be stored?  I have
> looked in /var/log but I am not seeing much.  Thanks in advance.
>
ipchains wont log unless you tell it to on a per rule basis, and you're 
prolly not logging. add a -l to your rules (that's a lowercase l) 

Re: IPChains logs

[J. Reilink]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

"Tommy F." wrote:
> 
> I am running IPChains with portsentry on mandrake 8.1 and I was
> trying to find the logs for IPChains?  Where would these be stored?
>  I have looked in /var/log but I am not seeing much.  Thanks in
> advance.

~# man ipchains
and uninstall portsentry (which is what I would do, I don't like
that program :-)

Or perhaps http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html

Grtz, Jan

- -- 
Dutch Security Information Network : http://www.dsinet.org
alt.hack.nl FAQ : http://www.dsinet.org/hackfaq
PGP-key : http://www.dsinet.org/digiover/pgp-key/pgp-key.asc
mailto:[EMAIL PROTECTED]

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 7.0.3 for non-commercial use 

iQA/AwUBO+wpF/CyYbl20KEDEQLA+ACgq1OyiZD6/m4DUSqozlePVdFMgL4AnjWw
a/OcZeOpRZri5ulYBRShpNb5
=y516
-END PGP SIGNATURE-

Re: IPChains logs

[Tom Fischer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Am Donnerstag, 8. November 2001 18:51 schrieben Sie:
> I am running IPChains with portsentry on mandrake 8.1 and I was trying
> to find the logs for IPChains?  Where would these be stored?  I have
> looked in /var/log but I am not seeing much.  Thanks in advance.

normally they've stored in /var/log/messages or /var/log/sys.log depending on
your /etc/syslog.conf. You have rules marked with the -l option?

- --
Tom Fischer ABH Marketingservice GmbH
System AdministratorWeisshaustraße 23a
Tel: 0221-94400446  50939 Köln
http://www.abh.de

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjvsIY4ACgkQwafQrcfco8FBPgCggT/dDzcsCSe3m3v5nLbMec9V
8hcAn1cjHJnDKxxuribQoB/N+YBgnrJv
=kTbW
-END PGP SIGNATURE-

RE: IPChains logs

[Chris Chandler]

Should be in your /psionic/portsentry folder in the logs there

Tech Resolution
The complete IT solution for your small business 
[EMAIL PROTECTED]

-Original Message-
From: Tommy F. [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, November 08, 2001 12:52 PM
To: [EMAIL PROTECTED]
Subject: IPChains logs


I am running IPChains with portsentry on mandrake 8.1 and I was trying
to find the logs for IPChains?  Where would these be stored?  I have
looked in /var/log but I am not seeing much.  Thanks in advance.

+=+=+=+=+=+=+=+=+=+=+=+=+=+
Tommy
www.security-protocols.com
+=+=+=+=+=+=+=+=+=+=+=+=+=+

Re: ipchains, ipmasqadm

[Bosko Radivojevic]

On Tue, 18 Sep 2001, Daniel Chojecki wrote:

> Is it posible to redirect all traffic comming for 0.0/0 80 to local
> squid proxy using ipchains and ipmasqadm.

Using ipchains - yes. I'm not sure for ipmasqadm (I've never used it)

I'm using those lines for that. Of course, you have to enable 'IP
Transparent Proxy' in your kernel.

ipchains -A input -p TCP -d YOUR_IP/32 www -j ACCEPT (in case you have
your own web server)
ipchains -A input -p TCP -d 0/0 www -j REDIRECT 8080

> Conf:
> 2.2.19
> ipchains

It works for me: 2.2.18 & ipchains 1.3.9, 17-Mar-1999

Greetings

Re: ipchains vs.

[Sandro Littke]

Hi,

to get started with ipchains i recommend you this very good book:

Robert Ziegler: Linux Firewalls (New Riders)

I dont agree, that ipchains is completely outdated (yet). State machines, as 
come with iptables, _may_ increase your security. But bugs here let your 
network wide open - we've already seen ways to this ;-) 

Sandro Littke.
-- 
Sandro Littke CIT Jena
Computer- und Informationstechnik
Consulting

Tel. +49 3641 363700, Fax 363701, mobil +49 172 5214549