Ipchains and connection to ISP

To: debian-firewall@lists.debian.org
Subject: Ipchains and connection to ISP
From: Udo Klein <udo-michael.klein@kcl.ac.uk>
Date: Mon, 04 Apr 2005 12:21:44 +0100
Message-id: <[🔎] 42512348.6030206@kcl.ac.uk>

Hi everybody,

I connect to my ISP provider via a cable modem (dhclient gets thedynamic IP address). A few weeks ago I installed an (ipchains) firewall,which basically denies all requests from outside (I checked this bylooking at the logs). I could connect to the ISP, browse the net, etc.

However, since yesterday I cannot connect to the ISP anymore. Butstrangly, the connection is impossible only while the firewall is up andrunning. If I disable the firewall by "mv /etc/rcS.d/S39packetfilter/etc/rcS.d/_S39packetfilter" I CAN connect and browse the net!

Is this caused by some requests from the ISP provider (maybe whenchanging or assigning the dynamic IP address) being rejected by myipchains rules?


Can somebody please help me understand what's going on here? Thanks, Udo

PS: when installing the ipchains firewall I followed the instructionsfrom the "Security quick-strart howto for linux". The ipchains script Iuse is here:


#!/bin/sh
#
# ipchains.sh
#
# An example of a simple ipchains configuration.
#
# This script allows ALL outbound traffic, and denies
# ALL inbound connection attempts from the outside.
#
###################################################################
# Begin variable declarations and user configuration options ######
#
IPCHAINS=/sbin/ipchains
# This is the WAN interface, that is our link to the outside world.
# For pppd and pppoe users.
# WAN_IFACE="ppp0"
WAN_IFACE="eth0"

## end user configuration options #################################
###################################################################

# The high ports used mostly for connections we initiate and return
# traffic.
LOCAL_PORTS=`cat /proc/sys/net/ipv4/ip_local_port_range |cut -f1`:\
`cat /proc/sys/net/ipv4/ip_local_port_range |cut -f2`

# Any and all addresses from anywhere.
ANYWHERE="0/0"

# Let's start clean and flush all chains to an empty state.
$IPCHAINS -F

# Set the default policies of the built-in chains. If no match for any
# of the rules below, these will be the defaults that ipchains uses.
$IPCHAINS -P forward DENY
$IPCHAINS -P output ACCEPT
$IPCHAINS -P input DENY

# Accept localhost/loopback traffic.
$IPCHAINS -A input -i lo -j ACCEPT

# Get our dynamic IP now from the Inet interface. WAN_IP will be our
# IP address we are protecting from the outside world. Put this
# here, so default policy gets set, even if interface is not up
# yet.
WAN_IP=`ifconfig $WAN_IFACE |grep inet |cut -d : -f 2 |cut -d \ -f 1`

# Bail out with error message if no IP available! Default policy is
# already set, so all is not lost here.
[ -z "$WAN_IP" ] && echo "$WAN_IFACE not configured, aborting." && exit 1

# Accept non-SYN TCP, and UDP connections to LOCAL_PORTS. These are
# the high, unprivileged ports (1024 to 4999 by default). This will
# allow return connection traffic for connections that we initiate
# to outside sources. TCP connections are opened with 'SYN' packets.

$IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS ! -y -jACCEPT


# We can't be so selective with UDP since that protocol does not
# know about SYNs.
$IPCHAINS -A input -p udp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS -j ACCEPT

## ICMP (ping)
#
# ICMP rules, allow the bare essential types of ICMP only. Ping
# request is blocked, ie we won't respond to someone else's pings,
# but can still ping out.
$IPCHAINS -A input -p icmp --icmp-type echo-reply \
-s $ANYWHERE -i $WAN_IFACE -j ACCEPT
$IPCHAINS -A input -p icmp --icmp-type destination-unreachable \
-s $ANYWHERE -i $WAN_IFACE -j ACCEPT
$IPCHAINS -A input -p icmp --icmp-type time-exceeded \
-s $ANYWHERE -i $WAN_IFACE -j ACCEPT

###################################################################
# Set the catchall, default rule to DENY, and log it all. All other
# traffic not allowed by the rules above, winds up here, where it is
# blocked and logged. This is the default policy for this chain
# anyway, so we are just adding the logging ability here with '-l'.
# Outgoing traffic is allowed as the default policy for the 'output'
# chain. There are no restrictions on that.

$IPCHAINS -A input -l -j DENY

echo "Ipchains firewall is up `date`."

##-- eof ipchains.sh

Reply to:

Follow-Ups:
- Re: Ipchains and connection to ISP
  - From: Phil Dyer <phil.dyer@cox.net>

Prev by Date: Firestarter 1.0.3 Policy modification greyed out?
Next by Date: Re: Ipchains and connection to ISP
Previous by thread: Firestarter 1.0.3 Policy modification greyed out?
Next by thread: Re: Ipchains and connection to ISP
Index(es):
- Date
- Thread