[KLUG Members] IPChains problem

members@kalamazoolinux.org members@kalamazoolinux.org
Mon, 10 Jun 2002 16:30:58 -0400 

>>>And since the packets I'm concerned about are coming from the
>>>machine
>>>we're talking about, it follows that the output chain is at least a
>>>legitimate place to place a rule, right?
>>No not nessesarily because any packets from the outside first go
>>through the input chain.....

In reading the thread, it is clearer to me now.  The services are running ON the
edge device.  The term "firewall" caused me to ass-u-me that they were inside.

>Once again, we seem to be losing the context of this problem, which is 
>specific in nature, not a general or philosophical issue.
>The Problem:
>1. Restrict access from outside to the services we support.

INPUT CHAIN

>2. Prevent any packets that are produced on the server other than 
>   those involved in the above services from leaving, and log them.

OUTPUT CHAIN

Is the device 'forwarding' any traffic?

>>>>>>-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
>>>>This rule will allow your machine to contact any machine on port 80
>>>>from any source port and any machine to connect to your machine on
>>>>port 80 from any source port. 
>>>Seems to be a prerequisite for running a web server.
>>not exactly .... you do not want conversations to your web server
>>coming in from something lower than port 1024. That would be
>>abnormal and indicative of an attack....
>So a connection on port 80 is an attack?

Huh?  No longer aware who posted what.  I'd make it like
-I INPUT -s 0/0 -d {MYIP}/24 -p tcp -j ACCEPT

Where does "-y" come from?  My iptables says that in an unknown arg.  (Reminds
me of the pirate on the Simpsons).

>I have the same comments for the other proposals, as well. Servers listen on
>ports, like 20, 53, etc.... and the commands you propose appear to block
>them. I guess I simply so not understand this at all....

?

Set the default policy on input to drop and do the above for each service you
want to acces.  You may have to add an entry for both the inside and outside
ionterface if you want to use it from internal clients.