Re: [LUG] [OT] Sun bargains

To: list@xxxxxxxxxxxx
Subject: Re: [LUG] [OT] Sun bargains
From: kevin bailey <kevin_bailey@xxxxxxxxxxx>
Date: Sat, 12 Jan 2002 19:49:10 +0000
Reply-to: list@xxxxxxxxxxxx

hi there

when the kernel changed from 2.2 to 2.4 the way of creating ip packet rules changed from ipchains to iptables. these are the tools used to set up how the kernel handles packets so either will do. if you choose the right options you can compile a 2.4 kernel which still uses ipchains to set the filtering.

because i run debian stable (2.2 kernel) i have to use ipchains - the syntax is very similar to iptables. i think if you have a choice it is better to use iptables.

however - here is how my ipchains rules are setup on the P200 machine my home network uses as a gateway/router/firewall.

first remember that ipforwarding has to be on.

there are 3 sets of rules you need to set up - 'input' for incoming packets, 'forward' for any packets which your machine forwards, 'output' for any packets which your machine sends out.

the 'policies' are the default actions for each chain.

obviously the 'input' rules are the most important. so i set the default action (policy) of this chain to DENY to drop the packet. then i add rules which allow in the packets i want. the rules are checked before the policy is applied so if a packet matches a rules then the rule's action applies. this would be ACCEPT for the packets we allow in.

so, if a packet does not match any rule it gets to the policy which would deny it. to figure out what to allow in it is possible to add a final rule which DENY's all packets but also logs the packets attempt to get in. if you decide that the packet type is ok then you can remove the final log rule - and then add a rule to ACCEPT those packets.

you can add each rule from the command line using the
#ipchains [parameters go here]
command

when you have finished adding all of your rules you can save all of the rules by using

#ipchains-save > /etc/ipchains.rules

which outputs all of the rules and saves them in the /etc/ipchains.rules file.

then - after a reboot - instead of retyping each rule individually it is possible to import all of the rules from the file using #ipchains-restore -f < /etc/ipchains.rules

i have attached my actual ipchains.rules file - but i've pasted it here so i could add comments to explain each rule. the rules in the file have been slightly updated since i wrote out the explanations.

/etc/ipchains.rules
--------------------------------------------------8<-----------------------------------

# default actions - i'm not sure allowing ALL output is advisable. DENY is better than REJECT because DENY drops the packet whereas REJECT sends back a response. :input DENY :forward DENY :output ACCEPT

# allow in all icmp packets cos they are used for messaging
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT

# allow in tcp and udp packets from the 2 DNS servers - -p 6 is 'tcp' - and 17 is 'udp' - thanks for the help simon! -A input -s 194.152.64.34/255.255.255.255 53:53 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT -A input -s 194.152.64.34/255.255.255.255 53:53 -d 0.0.0.0/0.0.0.0 -p 17 -j ACCEPT

-A input -s 194.152.64.35/255.255.255.255 53:53 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT -A input -s 194.152.64.35/255.255.255.255 53:53 -d 0.0.0.0/0.0.0.0 -p 17 -j ACCEPT

# enable local loopback
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT

# allow the local network to speak to my squid proxy server which listens on port 3128 -A input -s 192.168.1.0/255.255.255.0 -d 192.168.1.1/255.255.255.255 3128:3128 -p 6 -j ACCEPT

# allow communication in to port 80 for squid to be able to web browse - i am going to add # ! -y to stop requests for new connections on this port. -A input -s 0.0.0.0/0.0.0.0 80:80 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT

# these next rules enable my workstation and my girlfriend's imac to collect and send email using freeserve's # servers. it is a bit extreme to implement masquerading just for so email can be used - but i can't think # of a neater way!?!?!? # pop3 on freeserve's pop3 server -A input -s 195.92.193.154/255.255.255.255 110:110 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT # smtp on freeserve's smtp server -A input -s 195.92.193.153/255.255.255.255 25:25 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT

# accept all packets from the local network - and forward them and masquerade them behind # the firewall machine. -A input -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j ACCEPT -A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ

# these enable ftp to work in passive mode - ftp is a pain because it requests back a connection to # a seemingly random unpriviledged port number. according to my new book 'hacking linux exposed' ftp # is best avoided altogether - and sftp should be used - any pointers on how to set it up under debian would be gratefully # received. i am now using rsync over ssh for backing up over the interweb. -A input -s 0.0.0.0/0.0.0.0 21:21 -d 0.0.0.0/0.0.0.0 1024:65535 -i ppp0 -p 6 -j ACCEPT ! -y -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0 -i ppp0 -p 6 -j ACCEPT ! -y

# allow connection on the https port - this was needed for internet banking.
-A input -s 0.0.0.0/0.0.0.0 443:443 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT ! -y

# i have since added a rule to allow newsgroup packets in...

--------------------------------------------------8<-----------------------------------

the rule which denies all packets and logs them is
#ipchains -j DENY -l

('jump' to DENY - '-l' means log which usually goes into /var/log/messages)

hope this helps - if anyone can see any issues with the rules please let me know ASAP

thanks

kev

Kelly Jones wrote:

Yes i would love a copy of your rules as i have been meaning to lock down my box for ages, ipchains is used with 2.4 kernel, is that correct?

On Monday 07 January 2002 23:01, you wrote:

hi mathew,

'linux complete' by sybex has excellent sections on networking,
masquerading and firewalls - and its only 15 quid.

my firewall principle is this - block everything from getting through
the firewall.  on ipchains use DENY and not REJECT because DENY drops
the packet whereas REJECT sends back a response.

then let through only the traffic you want - response to web page
requests, email, newsgroups.

finally i log everything which is being denied.  then when you have a
problem i.e. secure web pages are not working - then you can look at the
packets which were rejected (ah! packets to port 443/https) - and then
add a rule to allow them through.

being this strict means that i don't worry too much about being
connected nearly continuously at weekends - and also large overnight
downloads are safe(r).

if you want i could send a copy of the ipchains rules i use as an example.

kev
&
lt;
br>MATTHEW BROWNING wrote:

Here's a happy New Year offer for you ;)

I'm sure a few of you will have heard of this already since it has
been going around a few MLs over the past week or so, but Sun
Microsystems are advertising servers with "24 * 900 MHz UltraSPARC
III Processors" on their website for less than eighty quid!!!

The offending page is here:

http://www.sun-catalog.com/partpricing.xml?site=GB_ENG&catalogue=FC&se
ction=FC_SC&item=FC_SC_CAT&group=2&id=688

This becomes interesting because the Sale of Goods Act, here:

http://www.lawnet.com.sg/freeaccess/SGA.htm

may be interpreted to suggest an obligation for them to sell at that
price if you place an order before they get wise to their error
(
which wi
ll be soon, I reckon).

Have fun. MB.

--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.

--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.


--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.

:input DENY
:forward DENY
:output ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT
-A input -s 194.152.64.34/255.255.255.255 53:53 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT
-A input -s 194.152.64.34/255.255.255.255 53:53 -d 0.0.0.0/0.0.0.0 -p 17 -j ACCEPT
-A input -s 194.152.64.35/255.255.255.255 53:53 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT
-A input -s 194.152.64.35/255.255.255.255 53:53 -d 0.0.0.0/0.0.0.0 -p 17 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT
-A input -s 192.168.1.0/255.255.255.0 -d 192.168.1.1/255.255.255.255 3128:3128 -p 6 
-j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 80:80 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT ! -y
-A input -s 195.92.195.154/255.255.255.255 110:110 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT
-A input -s 195.92.193.154/255.255.255.255 110:110 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT
-A input -s 195.92.195.153/255.255.255.255 25:25 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT
-A input -s 195.92.193.153/255.255.255.255 25:25 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT
-A input -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 21:21 -d 0.0.0.0/0.0.0.0 1024:65535 -i ppp0 -p 6 -j 
ACCEPT ! -y
-A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0 -i ppp0 -p 6 -j ACCEPT ! -y
-A input -s 0.0.0.0/0.0.0.0 443:443 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT ! -y
-A input -s 0.0.0.0/0.0.0.0 443:443 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT ! -y
-A input -s 0.0.0.0/0.0.0.0 22:22 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT ! -y
-A input -s 0.0.0.0/0.0.0.0 119:119 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT
-A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ

References:
- [LUG] [OT] Sun bargains!
  - From: MATTHEW BROWNING
- Re: [LUG] [OT] Sun bargains!
  - From: kevin bailey
- Re: [LUG] [OT] Sun bargains
  - From: Kelly Jones

Prev by Date: RE: [LUG] geekquiz
Next by Date: Re: [LUG] Virus
Previous by thread: Re: [LUG] [OT] Sun bargains
Next by thread: RE: [LUG] [OT] Sun bargains! & firewalls
Index(es):
- Date
- Thread

Lynx friendly