ipchains

To: <debian-firewall@lists.debian.org>
Subject: ipchains
From: "Simon Martin" <smartin@isys.cl>
Date: Tue, 28 Mar 2000 11:25:39 -0800
Message-id: <008101bf98eb$66882c40$0300a8c0@isys.cl>
References: <Pine.LNX.4.21.0003271533020.5198-100000@ugly.wh8.tu-dresden.de> <38E05702.E71F7C11@os.mofnet.gov.pl>

Hi all,

Having been frightened by looking at some of the logs in my server (smb.xxx)
I spent a good few hours last night setting up ipchains. I now have a
systems that seems to be working and as tight as I can make it, but I don't
think that it is actually right!!!

My configuration is as follows:

Internal network: class C, 192.168.0.xxx
Server: Debian 2.2 with kernel 2.2.12, dial on demand to internet with
diald.

I started off with the following

echo 0 > /proc/sys/net/ipv4/ip_forward

iphains -P input REJECT
ipchains -A input -j ACCEPT -s localhost
ipchains -A input -j ACCEPT -s localnet/24

ipchains -P forward REJECT
ipchains -A forward -j MASQ -s localnet/24

ipchains -P output ACCEPT

What I expected was "input will accept anything from my local net, forward
will masquerade everything from my localnet, output will send anything".

Unfortunately this did not work. The configuration I have now is:

echo 1 > /proc/sys/net/ipv4/ip_forward

iphains -P input REJECT
ipchains -A input -j ACCEPT -s localhost
ipchains -A input -j ACCEPT -s localnet/24
ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d localnet/24 www -p tcp
ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d localnet/24 ftp -p tcp
ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d localnet/24 ftp-data -p tcp
ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d localnet/24 domain -p udp
ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d localnet/24 smtp -p tcp
ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d localnet/24 pop-3 -p tcp

ipchains -P forward REJECT
ipchains -A forward -j MASQ -s localnet/24
ipchains -A forward -j MASQ -d localnet/24

ipchains -P output ACCEPT

This now works, but I find it very permissive. Anyone connecting from socket
80 on a remote machine can connect to my telnet port!!!

I have 2 main questions:

1) What am I doing wrong?
2) I am about to update my kernel to linux-2.3.99-pre3 for other reasons.
What will security be like on this?

TIA


    __ _   Debian GNU User
   / /(_)_ __  _   ___  __   Simon Martin
  / / | | '_ \| | | \ \/ /   Project Manager
 / /__| | | | | |_| |>  <    Isys
 \____/_|_| |_|\__,_/_/\_\   mailto: smartin@isys.cl

There is a chasm of carbon and silicon the software cannot bridge

Reply to:

Follow-Ups:
- Re: ipchains
  - From: Lee Bradshaw <lee@sectionIV.com>

References:
- Re: ipfwadm-setsockopt failed: Invalid argument
  - From: Oswald Buddenhagen <ob6@inf.tu-dresden.de>
- Re: ipfwadm-setsockopt failed: Invalid argument
  - From: Marcin Kurpiewski <m.kurpiewski@os.mofnet.gov.pl>

Prev by Date: Re: ipfwadm-setsockopt failed: Invalid argument
Next by Date: Re: ipchains
Previous by thread: Re: ipfwadm-setsockopt failed: Invalid argument
Next by thread: Re: ipchains
Index(es):
- Date
- Thread