Re: ipchains firewalling question

To: Mark Brown <broonie@tardis.ed.ac.uk>
Cc: debian-user <debian-user@lists.debian.org>
Subject: Re: ipchains firewalling question
From: Patrick Olson <compman@internetcds.com>
Date: Fri, 3 Sep 1999 11:34:43 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.990903104520.29734E-100000@picard.internetcds.com>
In-reply-to: <[🔎] 19990903031639.E19497@tardis.ed.ac.uk>

> Yes.  It's a protocol which allows a system to ask a system with which
> it has a TCP connection to give it some information about who's on the
> other end of that connection.  This is useful for auditing purposes,
> although you can only trust the information as much as you can trust the
> remote site (and some sites refuse to give out any useful information).

Thanks for mentioning that.  I had absolutely no clue about it.  How's
this? 

# allow ident connections
ipchains -A input  -d 0/0 113 -j ACCEPT
ipchains -A output -s 0/0 113 -j ACCEPT

> If you accept correct local packets first and then ban anything else
> it's fairly simple, although my firewall trusts local machines entirely
> so I may be missing something.

Half the purpose of my firewall is to ban e-mail since there is no way to
prevent local machines from using a SMTP server they shouldn't be using. 
If someone on a local machine found an open SMTP server and fed it a load
of SPAM, it would probably look like it came from this host's dynamic IP
address, with the masquerading and all.  I have to be careful though as I
still want to be able to use this machine to do my e-mail. 

Lets say that a packet with an IP address of 192.168.1.? came in on ppp0. 
Now, that is supposed to be a local address on eth0.  Would adding a rule
like this catch it?

ipchains -A input -s 192.168.1.0/24 -i ppp0 -j DENY

> What I do is to deny any packets with addresses in my private network.
> A more paranoid thing would be to use the ip-up and ip-down scripts to
> add and remove the appropriate rules each time.  It's not that much of a
> problem because the remote end of the link will probably do a fair bit
> of the work for you.

I think I just tried to accomplish that with the rule above.  I don't
think I'll fool with the ip-up and ip-down business for now.  I'm sure the
ISP does some filtering, but it is my goal to prevent anything on the LAN
from using my host to do things on the ISP's server that they wouldn't
like. 

> > # allow me to use fetchmail
> > ipchains -A input  -d localhost 110 -s pop3.isp.com 110 ! -y -j ACCEPT
> > ipchains -A output -s localhost 110 -d pop3.isp.com 110 -j ACCEPT
> 
> You can't use localhost like that.  Any packets going out over PPP are
> not going to have a source address of localhost (think about where
> answers are going to get sent to).

I was afraid of that.  Is this better? 

ipchains -A input  -s pop3.isp.com 110 -i ppp0 '!' -y -j ACCEPT
ipchains -A output -d pop3.isp.com 110 -i ppp0 -j ACCEPT

> Also note that ! is a shell metacharacter, so you need to say '!' rather
> than !.

Thanks, that would have caused me much frustration if you hadn't mentioned
it. 

> Assuming they can't log into your machine, you could reject all SMTP and
> POP traffic not on loopback or PPP and control the remote address (but
> not local) for traffic going over PPP.

I think that is what I have done with the lines above (for pop) and these
two for SMTP.  Did I goof anything up? 

# allow outgoing SMTP
ipchains -A input  -s smtp.isp.com 25 '!' -y -j ACCEPT
ipchains -A output -d smtp.isp.com 25 -j ACCEPT

As far as SMTP on the loopback, I think this one takes care of it. 

# allow anything local
ipchains -A input  -s 127.0.0.1 -j ACCEPT
ipchains -A output -d 127.0.0.1 -j ACCEPT

> A useful trick when building firewalls is to use tcpdump to see what's
> flowing over the interface and compare that to your expectations.

Between that and "ipchains -C ...", relatively thorough testing should be
possible. 

There is one question that has been bugging me.  These two rules allow
everything on port 80: 

ipchains -A input  -d 0/0 80  -j ACCEPT
ipchains -A output -s 0/0 80  -j ACCEPT

And then these four would turn around and block it if it were from
ad.doubleclick.net or ads3.inet1.com. 

ipchains -A input  -s ads3.inet1.com -j DENY
ipchains -A output -d ads3.inet1.com -j DENY

ipchains -A input  -s ad.doubleclick.net -j DENY
ipchains -A output -d ad.doubleclick.net -j DENY

Now if a packet arrived at my port 80 from ads3.inet1.com, I think it
would match both of these rules:

ipchains -A input  -d 0/0 80  -j ACCEPT
ipchains -A input  -s ads3.inet1.com -j DENY

Which one would be used? 

Thank you very much to all who have been involved in this thread.  I
appreciate learning what mistakes I have made without so much trial and
error, which would have been mostly error given the rules I started with.

Patrick Olson

Reply to:

References:
- Re: ipchains firewalling question
  - From: Mark Brown <broonie@tardis.ed.ac.uk>

Prev by Date: Re: ipchains firewalling question
Next by Date: Re: Problem with open_1.40-10_i386.deb
Previous by thread: Re: ipchains firewalling question
Next by thread: Re: ipchains firewalling question
Index(es):
- Date
- Thread