Re: ipchains for the firewall challenged

[Vineet Kumar <debian-user@virtual.doorstop.net>]

* Mark Wagnon (mwagnon1@home.com) [010722 00:24]:
> Hi all,
> 
> I'm playing around with ipchains, but I'm just not getting the
> example given in the IPCHAINS-HOWTO. It's based on a system that's
> forwarding packets, but I'm not doing that. All I have is a single box
> connected to the world with a cable modem connected to eth0.
> 
> It doesn't seem to be that difficult, and I'm feeling really stupid
> for not being able to figure it out. I think what has me confused is
> the HOWTO author's use of user-defined chains and then compounding the
> difficulty is that he has set up most (all?) jumps from the forward
> chain.
> 
> Are there any docs for the simple minded? I've searched on Google and
> have found a lot of examples pertaining to forwarding.

I notice you've already applied another solution, but I hope I can
provide some direction should you (or anyone else) decide they'd like
to do it yourself:

I have found that the most useful thing in setting up ipchains or
iptables is to see and understand the diagrams representing packet
flow in the kernel code. Maybe that's not for everyone, and I'm more
of a visual learner (or something). Anyway, for ipchains, it looks
like this:

        ----------------------------------------------------------------
        |            ACCEPT/                              lo interface |
        v           REDIRECT                  _______                  |
--> C --> S --> ______ --> D --> ~~~~~~~~ -->|forward|----> _______ -->
    h     a    |input |    e    {Routing }   |Chain  |     |output |ACCEPT
    e     n    |Chain |    m    {Decision}   |_______| --->|Chain  |
    c     i    |______|    a     ~~~~~~~~        |     | ->|_______|
    k     t       |        s       |             |     | |     |
    s     y       |        q       |             v     | |     |
    u     |       v        e       v            DENY/  | |     v
    m     |     DENY/      r   Local Process   REJECT  | |   DENY/
    |     v    REJECT      a       |                   | |  REJECT
    |   DENY               d       --------------------- | 
    v                      e -----------------------------
   DENY


that's taken from section 4.1 of the ipchains howto, which
describes in far more detail. Please go read it!
http://www.google.com/search?q=ipchains+howto+4.1&btnI=I

It's a little burly for your purposes. All you're talking about is a
packet filter, with no forwarding (and hence no masquerading, etc.) So
let's take out what's unimportant and reduce it to this:


        ---------------------------------------------------------------
        |            ACCEPT/                             lo interface |
        v           REDIRECT                                          |
--> C --> S --> ______ -->  --> ~~~~~~~~                   _______ -->
    h     a    |input |        {Routing }                 |output |ACCEPT
    e     n    |Chain |        {Decision}             --->|Chain  |
    c     i    |______|         ~~~~~~~~              |   |_______|
    k     t       |               |                   |       |
    s     y       |               |                   |       |
    u     |       v               v                   |       v
    m     |     DENY/         Local Process           |     DENY/
    |     v    REJECT             |                   |    REJECT
    |   DENY                      ---------------------
    v
   DENY

That's a bit more manageable, no? All you need to worry about are the
input and output chains. I'm going to recommend a very simple ruleset
for you; no need to mess around with all kinds of user-defined chains.
You might want (after reading some more and getting the hang of what's
going on here) to add some logging capabilities to the setup, but for
now, let's just roll a simple script:

(I've been (happily) immersed in the iptables world and haven't used
ipchains in a while (and don't have a machine to test it on, either),
so if it has a couple of syntactical glitches in it, please bear with
me.)

#!/bin/sh
# Very simple ipchains script
# for use with one machine connected to the Internet on eth0
# no forwarding, no masquerading, just a packet filter.
# I assume you're not running any services (webserver, mailserver,
# dns, etc.)

IPCHAINS=/usr/sbin/ipchains
EXT_IF=eth0


# some clean-up
$IPCHAINS -X
$IPCHAINS -F input
$IPCHAINS -F forward
$IPCHAINS -F output
$IPCHAINS -P input DENY
$IPCHAINS -P forward DENY
$IPCHAINS -P output ACCEPT
$IPCHAINS -Z

# Now all incoming packets are dropped. Let's allow some essentials.
$IPCHAINS -A input -i lo -j ACCEPT         # accept loopback traffic
$IPCHAINS -A input -p icmp -j ACCEPT       # accept icmp
# accept return traffic from outgoing tcp connections (no syn flag)
$IPCHAINS -A input -p tcp ! -y -j ACCEPT
# accept udp packets to unprivileged ports (return traffic)
$IPCHAINS -A input -p udp --dport 1024: -j ACCEPT

<EOF>

That's it! Good luck with it. Ask about anything you don't understand,
including how I came up with it. Others, feel free to comment on how
it might have been done differently (better).

If you are running other services, you can add them right below there,
with lines like

$IPCHAINS -A input -p udp --dport 53 -j ACCEPT
$IPCHAINS -A input -p tcp --dport 53 -j ACCEPT
(a dns example)

or 
$IPCHAINS -A input -p tcp --dport 113 -j ACCEPT
(identd)

You get the idea.

Vineet

Attachment: pgp78ZhiOZVPK.pgp
Description: PGP signature