[KLUG Members] IPChains problem

members@kalamazoolinux.org members@kalamazoolinux.org
Tue, 11 Jun 2002 23:36:49 -0400

Previous message: [KLUG Members] IPChains problem
Next message: [KLUG Members] IPChains problem
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>> I think my problem is elsewhere. Let's take a look at my refined
>> ruleset:
>> #accept HTTP and FTP from anywhere, in and outbound 
>> # (http and ftp servers on the local host)
>> -A input -s $myip -d 0/0 80 -p tcp -b -j ACCEPT
>Try 
>-A input -s 0/0 1024: -d $myip 1024: -p tcp -b -j ACCEPT
>
>This should work well.  You do not have to worry about guarding
>against the syn attack since you are running a server and by
>definition have to be able to receive syn packets ....
>> -A input -s $myip -d 0/0 20 -p tcp -b -j ACCEPT
>> -A input -s $myip -d 0/0 21 -p tcp -b -j ACCEPT
>For ftp try 
>-A input -s 0/0 1024: -d $myip 21 -p tcp -j ACCEPT
>-A input -s $myip 20 -d 0/0 1024: -p tcp -j ACCEPT
>This will setup your server.  If you want to use the computer as an
>ftp client as well I would setup a second set of rules....
>This rule set would look like:
>-A input -s $myip 1024: -d 0/0 21 -p tcp -j ACCEPT
>-A input -s 0/0 20 -d $myip 1024: -p tcp -j ACCEPT
>
>I always want to be able to clearly tell what the script is doing.
Um, this is why I wanted to start with the OUTPUT chain. If we want to
limit what the shost is sending out into the world, this seems like a 
sensible place to start. I know, I'm to be told that the input chain 
easier to work with, but that's not the point. We are, after all dealing 
with output issues at some point.... perhaps I'll state that I expect to
like iptables for this reason, perhaps better than this.

>also copiously comment my rules.  
Right, can't have enough of those.
 
>> # accept DNS from my DNS server (TCP or UDP)
>> -A input -s $dns 53 -j ACCEPT
>Try
>-A input -s 0/0 1024: -s $dns 53 -p udp -b -j ACCEPT

>> -A input -l -j DENY
>> 
>> myip is my IP address.
>> dns  is the dns server address.
>By the way is the dns server behind the firewall server or is it
>another machine on the Internet??
It's elsewhere, in practice on the same class C or maybe one or two "over".

The theme that runs through your (tighter) rule rewrites is (merely) that you
consistantly block source ports below 1024. This in, in fact, the only change
you've made. That's fine, I see why; it's also a good doublecheck, since on
this go-round you didn't onject to anything else, and I understand the ruleset.

Thanks! I'll try it on the real server, and see what happens!

							Regards,
							---> RGB <---

Previous message: [KLUG Members] IPChains problem
Next message: [KLUG Members] IPChains problem
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]