[KLUG Members] IPChains problem

Rusty Yonkers members@kalamazoolinux.org
Sat, 8 Jun 2002 20:11:31 -0700 (PDT)
Previous message: [KLUG Members] IPChains problem
Next message: [KLUG Members] IPChains problem
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
As I look at this more I can see some of the problems that both me
and my students were having before "The Master" taught us what was
what. It was stuff I should have realized right away.  

The main problem is a lack of understanding of the way that the
communication occurs in TCP/IP.  Lets use web as an example.  When
your workstation starts a conversation, your computer will send a
message out with a source port somewhere above 1024 (1 through 1023
are the "well known" ports).  The destination port will be port 80,
the well known port for web.  The web server is listening on port 80
and so will hear the message.  It will then respond back to your
workstation.  The source port (this time this is the web server) is
port 80 and the destination port is the port in the upper regions
that your machine initially sent the message from.   So for the
conversation to be let through you would need two rules (unless you
used the -b switch which is not always recommended more later on
that).  The first rule will allow your source address with a port
above 1023 to go to the destination port of 80, most likely to any ip
address usually.  so the command would be

ipchains -A input -s xxx.xxx.xxx.xxx 1024: -d 0.0.0.0/0 80 -p tcp -j
ACCEPT 

the second rule would allow any port 80 address to send to your
machine at something above 1023.  The rule would be 

ipchains -A input -s 0.0.0.0/0 80 -d xxx.xxx.xxx.xxx 1024: ! -y -p
tcp -j ACCEPT

This would let that conversation through.  If you notice there is
also a ! -y in this command.  This stands for not a SYN packet.  The
reason for this is that, unless you are a server, you should be the
one initiating all conversations in tcp never the other person.  All
tcp conversations are started with a SYN.  You want to allow the SYN
out but not back.  This protects against known hacks.  This is why
with tcp you do not want to use the -b switch.  The -b switch does
not perform this block.  You do not have to worry about SYN packets
with udp conversations (like DNS lookups) because udp is
connectionless and never starts with a SYN.  

There are some protocols, like ftp that get a little more crazy
because they do not follow the same type of conversation, but this
will cover most of the rules.  

Oh, by the way, if you ever want to log all DNS lookups so that you
can tell where people are going just put a rule near the top of the
chain that says 

ipchains -A input -s xxx.xxx.xxx.xxx 1024: -d yyy.yyy.yyy.yyy 53 -p
udp -b -l -j ACCEPT 
 
yyy.yyy.yyy.yyy is your DNS server.  This will log all of these
packets in /var/log/messages and then you can just look them up! 
hehehe big brother is watching! And notice the -b switch in this one,
it is udp so no SYN packets to worry about!


--- Richard Zimmerman <richard@knbpower.com> wrote:
> > -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
> > -A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT
> > -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
> > -A input -s ! here 1027 -p tcp -y -j REJECT
> > -A input -s 0/0 -d 0/0 -i eth0 -j ACCEPT
> > -A input -s thedns 53 -d 0/0 -p udp -j ACCEPT
> > -A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
> > -A input -s 0/0 -d 0/0 -p udp -j REJECT
> > If anyone has any sage advice, show me where I've simply missed
> > the boat, or can otherwise reduce my evident ignorance, I'll
> > be in your debt... well, not forever, but for at least a really
> > long time...
> 
>    It's always been my understanding (but hey, I've been wrong
> before) that 
> if you want the rule applied in BOTH directions, use -b before the
> -j ACCEPT.
> 
>    Remember though, this is coming from a guy that needs to pick up
> a book on 
> firewalls because as hard as I'm trying to understand them, I'm
> still 
> clueless.....
> 
>    Goose
> 
> _______________________________________________
> Members mailing list
> Members@kalamazoolinux.org
> 


=====
Truth is truth ... no matter what I think...
-----------------------------------------
Department of Redundancy Department
-----------------------------------------
Devoted RedHat fan...

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
Previous message: [KLUG Members] IPChains problem
Next message: [KLUG Members] IPChains problem
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]