[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ipchains for the firewall challenged

On 07/26/01 20:20:05 -0700, Vineet Kumar wrote:

> I notice you've already applied another solution, but I hope I can
> provide some direction should you (or anyone else) decide they'd like
> to do it yourself:
> 
> I have found that the most useful thing in setting up ipchains or
> iptables is to see and understand the diagrams representing packet
> flow in the kernel code. Maybe that's not for everyone, and I'm more
> of a visual learner (or something). Anyway, for ipchains, it looks
> like this:

<<< Diagram snipped >>>

> It's a little burly for your purposes. All you're talking about is a
> packet filter, with no forwarding (and hence no masquerading, etc.) So
> let's take out what's unimportant and reduce it to this:

Yeah, I had read through the IPChains Howto, and I think I got some of
the fundamentals down. I tend to learn by example, so as a newbie, I
had some trouble applying what was going on with the real world
example given in the howto to my own needs.

>         ---------------------------------------------------------------
>         |            ACCEPT/                             lo interface |
>         v           REDIRECT                                          |
> --> C --> S --> ______ -->  --> ~~~~~~~~                   _______ -->
>     h     a    |input |        {Routing }                 |output |ACCEPT
>     e     n    |Chain |        {Decision}             --->|Chain  |
>     c     i    |______|         ~~~~~~~~              |   |_______|
>     k     t       |               |                   |       |
>     s     y       |               |                   |       |
>     u     |       v               v                   |       v
>     m     |     DENY/         Local Process           |     DENY/
>     |     v    REJECT             |                   |    REJECT
>     |   DENY                      ---------------------
>     v
>    DENY
> 
> That's a bit more manageable, no? All you need to worry about are the
> input and output chains. I'm going to recommend a very simple ruleset
> for you; no need to mess around with all kinds of user-defined chains.
> You might want (after reading some more and getting the hang of what's
> going on here) to add some logging capabilities to the setup, but for
> now, let's just roll a simple script:

Ah, yes. That was one of the problems I had. The example revolved
around forwarding packets, which then quickly got out of hand for me
when trying to figure out what I needed to do. I think I understood
most of what was being discussed, and when I do get around to setting
up a gateway machine for my home network (coming soon), I'll draw from
it. I think I'll go back and re-read it and focus on what each was
trying to be accomplished.

> (I've been (happily) immersed in the iptables world and haven't used
> ipchains in a while (and don't have a machine to test it on, either),
> so if it has a couple of syntactical glitches in it, please bear with
> me.)

No problem, just a great big "thank you" for taking the time to
explain this to me and others.

<<< firewall script snipped >>>

Thanks again, I've already added your message to my Saved folder!
-- 
Mark Wagnon <mwagnon1@home.com>
Reply to: