question about ipchains on dual interface machine
Greetings,
Apologies for the length of this, I'm just running some thoughts through
my mind on a setup I have here.
I have a machine, X, 192.168.10.5, that has two modems in it. One
modem, /dev/ttyS2, dials into Y, 192.168.0.3 as needed, and the other,
/dev/ttyS0, into the Internet.
I want to deny ports 23, 37,137,139, etc, from the Internet, but allow
them from Y.
So i setup
/sbin/ipchains -I input -i ppp+ --destination-port=23 -p tcp -j REJECT
So as expected, this blocks port 23 on both ppp interfaces.
Now, since ppd 2.3.11 doesn't have the unit command, there's a
possiblity that the interfaces could get flipped around, ppp0 being ppp1
and vice versa, it all depends on whether a link is up or not when the
other tries to get out. So a simple -i ppp0 on the internet interface
won't work, cause it could be ppp1 at random
Now, I have two choices.
if [ $DEVICE == "/dev/ttyS2" ]; then
/sbin/ipchains -I input -i $IFNAME --destination-port=23 -p tcp -j
ACCEPT;
fi
in my /etc/ip-up.d/00fw
or i can
/sbin/ipchains -I input -i ppp+ -s 192.168.0.0/16 --destination-port=23
-p tcp -j ACCEPT
My question is, lets say I have a service on 23, that's vulnerable to
scrptkiddie.c. Assume a properly crafted packet can overflow it, and
open a rootshell on port ... 911. Can a spoofed packet be sent over the
69.69.69.69 interface, that says its source packet is 192.168.0.3, which
would be allowed through, causing this hypothetical exploit?
The second ipchains option seems a bit cleaner to me, but obviously no
good if the above situation is possible. If the ipchains table is
reset when either interface comes up, I suppose the rules will go away
from the /sbin/usr/ipmasq if it's the wrong connection on the pppX
interface, so the first ipchains should be possible
I suspect I've missed something somewhere in my understanding of
firewalling, is all.
Comments?
Thanks,
Mike
Reply to: