I have a network with large number of hosts and limited number of IP addresses, I set Debian Linux Potato 2.2 r6 machine with kernel 2.2.19 /////////////////////////////////////////////////////////////////////////////////////////// # /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
# The loopback interface iface lo inet loopback
# The first network card - this entry was created during the Debian installation # (network, broadcast and gateway are optional) iface eth0 inet static address x.y.z.66 netmask 255.255.255.248 network x.y.z.64 broadcast x.y.z.71 gateway x.y.z.65 iface eth1 inet static address 192.168.0.1 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 ///////////////////////////////////////////////////////////////////////////////////////////
The machine should be able to provide cashing DNS, DHPC and MASQ Currently internal machines with virtual IP (static not using DHCP) can access the internet, and they can resolve domain names from the linux box But not DHCP
This is a sample of what I am getting in the /var/log/firewall /////////////////////////////////////////////////////////////////////////////////////////// Jul 30 17:32:08 leo kernel: Packet log: input DENY eth1 PROTO=17 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=53760 F=0x0000 T=128 (#7) Jul 30 17:32:11 leo kernel: Packet log: input DENY eth1 PROTO=17 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=54016 F=0x0000 T=128 (#7) Jul 30 17:32:19 leo kernel: Packet log: input DENY eth1 PROTO=17 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=54272 F=0x0000 T=128 (#7) Jul 30 17:32:21 leo kernel: Packet log: input DENY eth1 PROTO=17 169.254.179.33:138 169.254.255.255:138 L=229 S=0x00 I=32770 F=0x0000 T=128 (#7) Jul 30 17:32:35 leo kernel: Packet log: input DENY eth1 PROTO=17 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=54528 F=0x0000 T=128 (#7) Jul 30 17:33:22 leo kernel: Packet log: input DENY eth1 PROTO=17 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=8704 F=0x0000 T=128 (#7) Jul 30 17:33:26 leo kernel: Packet log: input DENY eth1 PROTO=17 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=8960 F=0x0000 T=128 (#7) Jul 30 17:33:35 leo kernel: Packet log: input DENY eth1 PROTO=17 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=9216 F=0x0000 T=128 (#7) Jul 30 17:33:51 leo kernel: Packet log: input DENY eth1 PROTO=17 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=9472 F=0x0000 T=128 (#7) ///////////////////////////////////////////////////////////////////////////////////////////
the hosts are windows machines, all accept the 4th line above are failed attempts to access a DHCP server. è Not Normal The 4th line is for a windows automatic IP after failing to access a DHCP server. And it is denied è Normal
Here is the output of ipchains –L /////////////////////////////////////////////////////////////////////////////////////////// Chain input (policy DENY): target prot opt source destination ports ACCEPT all ------ anywhere anywhere n/a DENY all ----l- 127.0.0.0/8 anywhere n/a ACCEPT all ------ 192.168.0.0/24 anywhere n/a DENY all ----l- 192.168.0.0/24 anywhere n/a ACCEPT all ------ anywhere leo.some.domain n/a ACCEPT all ------ anywhere x.y.z.71 n/a DENY all ----l- anywhere anywhere n/a Chain forward (policy DENY): target prot opt source destination ports MASQ all ------ 192.168.0.0/24 anywhere n/a DENY all ----l- anywhere anywhere n/a Chain output (policy DENY): target prot opt source destination ports ACCEPT all ------ anywhere anywhere n/a ACCEPT all ------ anywhere 192.168.0.0/24 n/a ACCEPT !tcp ------ anywhere BASE-ADDRESS.MCAST.NET/4 any -> any DENY all ----l- anywhere 192.168.0.0/24 n/a ACCEPT all ------ leo.casbec.com.eg anywhere n/a ACCEPT all ------ x.y.z.71 anywhere n/a DENY all ----l- anywhere anywhere n/a ///////////////////////////////////////////////////////////////////////////////////////////
If and only if I am correct then rules number 7 in input and output chains are responsible for this issue in addition the chain policy “DENY”
I deleted rule 7 from input and output chains and added a couple of “ACCEPT” rules, and also chainged the chains’ policy hoping to allow the dhcp requests in and the replies out. /////////////////////////////////////////////////////////////////////////////////////////// Chain input (policy ACCEPT): target prot opt source destination ports ACCEPT all ------ anywhere anywhere n/a DENY all ----l- 127.0.0.0/8 anywhere n/a ACCEPT all ------ 192.168.0.0/24 anywhere n/a DENY all ----l- 192.168.0.0/24 anywhere n/a ACCEPT all ------ anywhere leo.some.domain n/a ACCEPT all ------ anywhere x.y.z.71 n/a ACCEPT all ------ anywhere anywhere n/a Chain forward (policy DENY): target prot opt source destination ports MASQ all ------ 192.168.0.0/24 anywhere n/a DENY all ----l- anywhere anywhere n/a Chain output (policy ACCEPT): target prot opt source destination ports ACCEPT all ------ anywhere anywhere n/a ACCEPT all ------ anywhere 192.168.0.0/24 n/a ACCEPT !tcp ------ anywhere BASE-ADDRESS.MCAST.NET/4 any -> any DENY all ----l- anywhere 192.168.0.0/24 n/a ACCEPT all ------ leo.casbec.com.eg anywhere n/a ACCEPT all ------ x.y.z.71 anywhere n/a ACCEPT all ------ anywhere anywhere n/a ///////////////////////////////////////////////////////////////////////////////////////////
I know this is not the best setup from a security point of view But I was just tring to figure out where the problem is And yet it did not work Same behaviour, as if I haven’t changed a single line. I tried /etc/init.d/networking restart I tried kill –HUP {pid of inetd} I tried reboot è and only then there was a change all the modifications I did with ipchains disappeared and it returned to its default rules.
It seems there is some thing that I don’t understand about ipchains, or I got the whole thing wrong. In all cases I need help Any ideas
Thanks TuT
|