topic Re: Need ipchains help in Operating System - Linux

Need ipchains help

Steve Nold — Fri, 15 Mar 2002 16:28:49 GMT

I'm trying to use a RedHat 7.2 box with ipchains to accomplish two things:

1 - Act as a firewall in general to deny inbound access to all but very specific services.

2 - Allow me to forward connection attempts to specific services (http, for instance) to a different machine sitting behind the Linux box's second interface.

I have tried all kinds of different ipchains commands with no luck. Can someone help me with the specific syntax of how to accomplish port forwarding with ipchains?

And yes, I've read the ipchains howto, etc., but can't find specific examples of how to get the port forwarding pieces working correctly.

Thanks.

Re: Need ipchains help

Scott Nelson_1 — Fri, 15 Mar 2002 17:44:54 GMT

Here is an example where mail (SMTP) packets arriving at external.example.com get forwarded to internal.example.com:

ipmasqadm portfw -a -P tcp -L external.example.com smtp -R internal.example.com smtp

Hope this helps.

Re: Need ipchains help

Jeffrey S. Sims — Fri, 15 Mar 2002 18:01:59 GMT

Steve,

First you would want to define your default policy and judging from your post I would think you wanted to deny everything unless you specifically allow it. You would do this by editing the file /etc/rc.d/rc.firewall and putting the following lines at the top.

####Set default policy to deny ####
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward REJECT

Now all your network traffic is blocked and you have to decide what you want to enable.

You may want to create some variables in this file to eliminate having to type numbers repeatedly. Some examples would be:

EXTERNAL_INTERFACE="eth0"
LOOPBACK_INTERFACE="lo"

IPADDR="your.ip.address"
ANYWHERE="any/0" #match any IP address
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"

Anyway, after you have all the variables you need or want then you can start enabling what you want to let through.

To allow you to run any local network service you choose you have to enable unrestricted loopback traffic. Do this by entering

ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

Now you need to accept traffic for the services that you want to offer. To receive mail sent to this machine from an external address you would use:

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE $UNPRIVPORTS -d $IPADDR 25 -j ACCEPT

Ok well this should at least get you going and let you see the syntax for the ipchains commands that you will be using. Check out a book called Linux Firewalls by Robert L. Ziegler ISBN 0-7357-0900-9

Have fun and hope this helps

Re: Need ipchains help

Mark Fenton — Sat, 16 Mar 2002 02:56:24 GMT

Steve -- I don't think ipchains will be a very satisfying solution for your port redirection issues (though ipmasqadm will handle it OK).

Since you are using RH 7.2, why not try iptables instead? One tool that can accomplish the entire firewalling setup.

Jefferey's setup for ipchains is a great start, and most of that would be applicable to an iptables configuration as well.

There are several iptables firewall builders available (check out http://freshmeat.net and search on iptables firewall). I'm kind of partial to shorewall, though it is somewhat more difficult to make jump through hoops than some others I've worked with.

If you are still having trouble with specific NAT issues, please to post a more detailed description of what it is that's not working.

Best regards.
Mark

Re: Need ipchains help

Steve Nold — Mon, 18 Mar 2002 19:19:22 GMT

Thanks for all the responses. After spending some time with it over the weekend, I've decided to bite the bullet and dive into iptables, since it seems to be more robust that ipchains.

Thanks again, everyone.