[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [seul-edu] IPCHAINS?



OK, Ryan. Just to be clear, I'm assuming that if you don't firewall (that
is, set all policies to accept), everything works just fine. If I'm making
the wrong assumption here, than you may have other problems I am missing in
this review.

Also ... while I'm a fan of seul-edu, I don't think of it as a list that's
exactly brimming over with firewalling expertise. You might think about
trying other places for advice. You don't mention which Linux distribution
you use, but you might see if it has a firewall group (Debian, for example,
has the debian-firewall list). The Linux Router Project (www.linuxrouter.org
or lrp.c0wz.com) is actually a specialized distribution designed for
router/firewall applications, but many of its resources are of general value.

I'll assume you already know about the Firewall HowTo and the Ipchains
HowTo. There is an Open Source project, Seattle Firewall ("Seawall"), hosted
at Sourceforge (Don't have the exact URL; sorry) that you might want to look at.

Now ... on to your ruleset. (BTW, of equal help to the commands you are
using to set the rules would be a list of the actual rules in place. Do this
with "ipchains -L -n". It would also help to know what sorts of failures you
are exeriencing and what the logs are telling you, if anything.)

>/sbin/ipchains -A forward -i  eth1 -s 192.168.0.0/255.255.0.0 -j MASQ

I'd recommend that you match the address range here with what is actually on
the internal interface (i.e., 192.168.0.0/24, not 192.168.0.0/16), as you do
in the old, working ruleset. Especially since you use addresses in the
192.168.0.0/16 range on the other interface. Since you're telling the
router/firewall to MASQ 192.168.1.1 (your default route address) here, I'm
really unsure what will happen ... but this *could* be the source of your
problem.

>/sbin/ipchains -A input -i eth1 -d 192.168.0.0/255.255.0.0 -j bad-if

Again, I'd match this to whatever network and netmask the external interface
actually uses (might be 192.168.1.0/24, but check your routing table for the
actual netmask you use -- it can be anything from /24 to /30, or it might
even be 192.168.1.2/32).

Beyond that, I don't see any general problems in your setup. You may run
into specific problems with specific traffic, depending on what you intend
to allow, what to block, but for help at that level we'd need to know lots
more about what you intend.

At 11:22 AM 6/30/00 -0400, Ryan Booz wrote:

>Now, however, I would like to make things a lot more secure.  I'm
>working from a revised copy of some examples my friend gave me and I
>can't seem to get something right with the INPUT chain.  Here's the
>deal, I have an ISDN router (192.168.1.1) that connects to the
>internet.  It's LAN connection goes directly to the second ethernet card
>on my firewall (ETH1 - 192.168.1.2).  Inside the firewall the first
>ethernet card (ETH0 - 192.168.0.2) is connected to the internal network
>(which obviously is a 192.168.0 network).
>
>I think my problem is that I'm not specifying correctly what the INPUT
>chain rule should be looking for.  I think it should be looking for
>packets destined 192.168.1 packets to forward to the internal network.
>Everything else should be denied.  At the moment, MASQ only works if I
>set the default INPUT policy to ACCEPT and really don't filter
>anything... not very secure obviously.
[details deleted]


--
------------------------------------"Never tell me the odds!"---
Ray Olszewski                                        -- Han Solo
Palo Alto, CA           	 	         ray@comarre.com        
----------------------------------------------------------------