[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ipchains and dhcpd on same machine, ipchains input and output rules problem. ... I guess



I have a network with large number of hosts and limited number of IP addresses,

I set Debian Linux Potato 2.2 r6 machine with kernel 2.2.19

///////////////////////////////////////////////////////////////////////////////////////////

# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)

 

# The loopback interface

iface lo inet loopback

 

# The first network card - this entry was created during the Debian installation

# (network, broadcast and gateway are optional)

iface eth0 inet static

        address x.y.z.66

        netmask 255.255.255.248

        network x.y.z.64

        broadcast x.y.z.71

        gateway x.y.z.65

iface eth1 inet static

        address 192.168.0.1

        netmask 255.255.255.0

        network 192.168.0.0

        broadcast 192.168.0.255

///////////////////////////////////////////////////////////////////////////////////////////

 

The machine should be able to provide cashing DNS, DHPC and MASQ

Currently internal machines with virtual IP (static not using DHCP) can access the internet, and they can resolve domain names from the linux box

But not DHCP

 

This is a sample of what I am getting in the /var/log/firewall

///////////////////////////////////////////////////////////////////////////////////////////

Jul 30 17:32:08 leo kernel: Packet log: input DENY eth1 PROTO=17 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=53760 F=0x0000 T=128 (#7)

Jul 30 17:32:11 leo kernel: Packet log: input DENY eth1 PROTO=17 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=54016 F=0x0000 T=128 (#7)

Jul 30 17:32:19 leo kernel: Packet log: input DENY eth1 PROTO=17 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=54272 F=0x0000 T=128 (#7)

Jul 30 17:32:21 leo kernel: Packet log: input DENY eth1 PROTO=17 169.254.179.33:138 169.254.255.255:138 L=229 S=0x00 I=32770 F=0x0000 T=128 (#7)

Jul 30 17:32:35 leo kernel: Packet log: input DENY eth1 PROTO=17 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=54528 F=0x0000 T=128 (#7)

Jul 30 17:33:22 leo kernel: Packet log: input DENY eth1 PROTO=17 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=8704 F=0x0000 T=128 (#7)

Jul 30 17:33:26 leo kernel: Packet log: input DENY eth1 PROTO=17 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=8960 F=0x0000 T=128 (#7)

Jul 30 17:33:35 leo kernel: Packet log: input DENY eth1 PROTO=17 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=9216 F=0x0000 T=128 (#7)

Jul 30 17:33:51 leo kernel: Packet log: input DENY eth1 PROTO=17 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=9472 F=0x0000 T=128 (#7)

///////////////////////////////////////////////////////////////////////////////////////////

 

the hosts are windows machines, all accept the 4th line above are failed attempts to access a DHCP server. è Not Normal

The 4th line is for a windows automatic IP after failing to access a DHCP server. And it is denied è Normal

 

Here is the output of ipchains –L

///////////////////////////////////////////////////////////////////////////////////////////

Chain input (policy DENY):

target     prot opt     source                destination           ports

ACCEPT     all  ------  anywhere             anywhere              n/a

DENY       all  ----l-  127.0.0.0/8          anywhere              n/a

ACCEPT     all  ------  192.168.0.0/24       anywhere              n/a

DENY       all  ----l-  192.168.0.0/24       anywhere              n/a

ACCEPT     all  ------  anywhere             leo.some.domain       n/a

ACCEPT     all  ------  anywhere             x.y.z.71              n/a

DENY       all  ----l-  anywhere             anywhere              n/a

Chain forward (policy DENY):

target     prot opt     source                destination           ports

MASQ       all  ------  192.168.0.0/24       anywhere              n/a

DENY       all  ----l-  anywhere             anywhere              n/a

Chain output (policy DENY):

target     prot opt     source                destination           ports

ACCEPT     all  ------  anywhere             anywhere              n/a

ACCEPT     all  ------  anywhere             192.168.0.0/24        n/a

ACCEPT    !tcp  ------  anywhere             BASE-ADDRESS.MCAST.NET/4  any ->

any

DENY       all  ----l-  anywhere             192.168.0.0/24        n/a

ACCEPT     all  ------  leo.casbec.com.eg    anywhere              n/a

ACCEPT     all  ------  x.y.z.71             anywhere              n/a

DENY       all  ----l-  anywhere             anywhere              n/a

///////////////////////////////////////////////////////////////////////////////////////////

 

If and only if I am correct then rules number 7 in input and output chains are responsible for this issue in addition the chain policy “DENY”

 

I deleted rule 7 from input and output chains and added a couple of “ACCEPT” rules, and also chainged the chains’ policy hoping to allow the dhcp requests in and the replies out.

///////////////////////////////////////////////////////////////////////////////////////////

Chain input (policy ACCEPT):

target     prot opt     source                destination           ports

ACCEPT     all  ------  anywhere             anywhere              n/a

DENY       all  ----l-  127.0.0.0/8          anywhere              n/a

ACCEPT     all  ------  192.168.0.0/24       anywhere              n/a

DENY       all  ----l-  192.168.0.0/24       anywhere              n/a

ACCEPT     all  ------  anywhere             leo.some.domain       n/a

ACCEPT     all  ------  anywhere             x.y.z.71              n/a

ACCEPT     all  ------  anywhere             anywhere              n/a

Chain forward (policy DENY):

target     prot opt     source                destination           ports

MASQ       all  ------  192.168.0.0/24       anywhere              n/a

DENY       all  ----l-  anywhere             anywhere              n/a

Chain output (policy ACCEPT):

target     prot opt     source                destination           ports

ACCEPT     all  ------  anywhere             anywhere              n/a

ACCEPT     all  ------  anywhere             192.168.0.0/24        n/a

ACCEPT    !tcp  ------  anywhere             BASE-ADDRESS.MCAST.NET/4  any ->

any

DENY       all  ----l-  anywhere             192.168.0.0/24        n/a

ACCEPT     all  ------  leo.casbec.com.eg    anywhere              n/a

ACCEPT     all  ------  x.y.z.71             anywhere              n/a

ACCEPT     all  ------  anywhere             anywhere              n/a

///////////////////////////////////////////////////////////////////////////////////////////

 

I know this is not the best setup from a security point of view

But I was just tring to figure out where the problem is

And yet it did not work

Same behaviour, as if I haven’t changed a single line.

I tried /etc/init.d/networking restart

I tried kill –HUP {pid of inetd}

I tried reboot è and only then there was a change all the modifications I did with ipchains disappeared and it returned to its default rules.

 

It seems there is some thing that I don’t understand about ipchains, or I got the whole thing wrong.

In all cases I need help

Any ideas

 

Thanks

TuT

 


Reply to: