[KLUG Members] IPChains problem

[Rusty Yonkers]

> And since the packets I'm concerned about are coming from the
> machine
> we're talking about, it follows that the output chain is at least a
> 
> legitimate place to place a rule, right?

No not nessesarily because any packets from the outside first go
through the input chain then the forward chain then the output chain
then to the firewall/server machine.  On the way out the packets go
through the input chain the forward chain and then the output chain
again!  You can do it any place but the input chain is the easiest to
keep things straight...

> 
> >> >-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
> >This rule will allow your machine to contact any machine on port
> 80
> >from any source port and any machine to connect to your machine on
> >port 80 from any source port. 
> Seems to be a prerequisite for running a web server.

not exactly .... you do not want conversations to your web server
coming in from something lower than port 1024.  That would be
abnormal and indicative of an attack.  As far as outbound traffic,
unless your machine is also surfing the net (which is not a good
thing for a secure server - escpecially since it would be most secure
to not even have X up and running) you will never have a conversation
where your machine is using anything other than port 80 for web and
the client computers coming in to you will always be above 1023.  If
you need I can include some packet sniffs so that you can understand
the negotiation and discussion better....

> 
> >> >-A input -s 0/0 -d 0/0 20 -p tcp -y -j ACCEPT
> >> >-A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT
> >FTP is handled a little differently.  You would have a rule for
> port
> >21 on the destination which would be your machine and not all
> >machines ie
> >-A input -s 0.0.0.0/0 1024: -d $myip 21 -p tcp -j ACCEPT 
> >and then another rule that the source is port 20 and the
> destination
> >is above 1024 like:
> >-A input -s $myip 20 -d 0.0.0.0/0 1024: -p tcp -j ACCEPT
> It would be nice, except we my be using this machine as an ftp
> client in
> addition to using it as a server.

Then you should include two additional rules that would be the flip
of these ..... do not just open it up to everything.  If you need to
move files to this machine from another Linux box, you should use
sftp instead of straight ftp though.  If you spend some time with
ethereal you will see how easy it is to gather names and passwords
from ftp.

> >>>-A input -s thedns 53 -b -j ACCEPT
> >Again you want to limit the other machine to ports above 1023 for
> >initiating this conversation.  I would recommend structuring this
> >command as 
> >-A input -b -s 0.0.0.0/0 1024: -d $thedns 53 -p udp -j ACCEPT
> Won't that make it hard to run DNS in and out of this machine?

No not at all.  The other machine will start the conversation above
1023 and send the request to port 53.  When your machine responds, it
will send out from port 53 and to the port above 1023 that the other
machine used to start the conversation.  This works fine....



=====
Truth is truth ... no matter what I think...
-----------------------------------------
Department of Redundancy Department
-----------------------------------------
Devoted RedHat fan...

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com