[KLUG Members] IPChains problem

members@kalamazoolinux.org members@kalamazoolinux.org
Fri, 07 Jun 2002 10:16:55 -0400

Previous message: [KLUG Members] Meeting 2002-06-11 - Hosting your own domain (DNS, SMTP, & WWW)
Next message: [KLUG Members] IPChains problem
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This might seem like a trivial example to some, but since I'm 
fairlky new to ipchains/iptables, I thought I would ask this
one, since [a] I need an answer, and [b] it's a good, fairly 
simple question that applies to ipchains and iptables, too(IMO).

What I want to do....
  I want to stop anything BUT http (80) ssh (22), DNS (53) ftp
(20/21), and ICMP messages (the consequences of blocking those
are fairly clear and nasty) for getting IN or OUT of this box.

  These rules seem to be real successful in keeping everything
else OUT:

-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s ! here 1027 -p tcp -y -j REJECT
-A input -s 0/0 -d 0/0 -i eth0 -j ACCEPT
-A input -s thedns 53 -d 0/0 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
-A input -s 0/0 -d 0/0 -p udp -j REJECT

Note: "here" is the ip address of the interface on the local 
machine, "thedns" is the primary dns server for this host. 

HOWEVER, these rules seem to fall very flat:

-A output -s here 80 -d 0/0 80 -p tcp -y -j ACCEPT
-A output -s here 21 -d 0/0 21 -p tcp -y -j ACCEPT
-A output -s here 22 -d 0/0 22 -p tcp -y -j ACCEPT
-A output -s here 53 -d 0/0 53 -p tcp -y -j ACCEPT
-A output -s here 53 -d 0/0 53 -p udp -j ACCEPT
-A output -s here 53 -d thedns 53 -p udp -j ACCEPT
-A output -s here 53 -d thedns -p tcp -j ACCEPT
-A output -s here -d 0/0 -p ! icmp -l -j REJECT

For some reason I thought it would be better to apply this
to the forward chain:

-A forward -s here 80 -d 0/0 -p tcp -y -j ACCEPT
-A forward -s here 21 -d 0/0 -p tcp -y -j ACCEPT
-A forward -s here 22 -d 0/0 -p tcp -y -j ACCEPT
-A forward -s here 53 -d 0/0 -p tcp -y -j ACCEPT
-A forward -s here 53 -d 0/0 -p udp -j ACCEPT
-A forward -s here 53 -d thedns -p udp -j ACCEPT
-A forward -s here 53 -d thedns -p tcp -j ACCEPT
-A forward -s here -d 0/0 -p ! icmp -j REJECT -l

Doesn't seem to help. I can STILL contact an NNTP (port 119)
server, for example, with either chain (or both) in place.

If anyone has any sage advice, show me where I've simply missed
the boat, or can otherwise reduce my evident ignorance, I'll
be in your debt... well, not forever, but for at least a really
long time...

						Regards,
						---> RGB <---

Previous message: [KLUG Members] Meeting 2002-06-11 - Hosting your own domain (DNS, SMTP, & WWW)
Next message: [KLUG Members] IPChains problem
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]