Solved

IP-Maswuerade problem

Posted on 1998-12-11
16
245 Views
Last Modified: 2010-03-18
I have some problems with ip-masquerading.

Machine A has eth1 connected to internet and eth0 connected to machine B

My rules:

IPCHAINS="/sbin/ipchains
## IP Masq
#
## dont masq internal-internal traffic
$IPCHAINS -A forward -s 10.0.0.0/24 -d 10.0.0.0/24 -j ACCEPT
#
## dont masq external interface direct
$IPCHAINS -A forward -s 130.x.y.z -d 0/0 -j ACCEPT
#
## masquerade all internal IP's going outside
$IPCHAINS -A forward -s 10.0.0.0/24 -d 0/0 -j MASQ  
 
I can ping my nameserver if I use ping ipnr. But I cant do a ping host.com.

My resolve.conf:

domain mydomain.com
search mydomain.com
nameserver 130.x.y.z

How can I get the dns part to work?
0
Comment
Question by:pucko
  • 9
  • 6
16 Comments
 
LVL 2

Expert Comment

by:irp
ID: 1587869
Are you running DNS on your machine or accessing somebody elses?
Can you access outside hosts from inside your network. What is ipnr (is this in your /etc/hosts). Use nslookup to test DNS resolution. Give me some more info and I'll try to help you.
0
 
LVL 1

Author Comment

by:pucko
ID: 1587870
OK!

Machine A eth0: 10.0.0.2
         eth1: 130.236.A.B

/etc/hosts:

10.0.0.2        pucko.local     pucko
10.0.0.3        documentation.local     doc    
10.0.0.4        abbie.local     abbie  
127.0.0.1 ab.doubleclick.net    
resolve.conf:

domain foo.se
search foo.se
nameserver 130.236.C.D

Macine B eth0: 10.0.0.2

/etc/hosts
10.0.0.2        pucko.local     pucko
10.0.0.3        documentation.local     doc    
10.0.0.4        abbie.local     abbie  
127.0.0.1 ab.doubleclick.net  
resolve.conf

domain foo.se
search foo.se
nameserver 130.236.C.D

From machine B:

[root@abbie /etc]# ping 130.236.C.D
PING 130.236.230.9 (130.236.C.D): 56 data bytes
64 bytes from 130.236.230.9: icmp_seq=0 ttl=61 time=4.1 ms
64 bytes from 130.236.230.9: icmp_seq=1 ttl=61 time=4.8 ms
64 bytes from 130.236.230.9: icmp_seq=2 ttl=61 time=6.1 ms            

But I didn't get any response if I do a ping ns.foo (the snameserver with ip 130.236.C.D)

IF I do a ping ns.foo frpm machine B and a /sbin/ipchains -M -L at the same time I get:

IP masquerading entries
prot expire   source               destination          ports
UDP  04:55.10 abbie.local          ns.foo               1039 (61086) -> domain
UDP  03:23.60 abbie.local          ns.foo             netbios-ns (61088) -> netbios-ns

It doesn't matter if I put ns.foo in the /etc/hosts


And tcpdump says:

22:30:07.747766 abbie.local.1039 > ns.foo.domain: 62981+ (30)
22:30:12.748167 arp who-has pucko.local tell abbie.local
22:30:12.748672 arp reply pucko.local is-at 0:80:ad:38:d:94


It works fine if I install a caching nameserver on macine A and pug 10.0.0.2 as nameserver at macihne B. But that is not the solution I like to have,,,
0
 
LVL 1

Expert Comment

by:zblaxell
ID: 1587871
Uhhh...I assume machine B's IP address for eth0 is actually 10.0.0.4 (you say 10.0.0.2 above, but that won't work).

I would delete the first two forwarding rules and just leave the last one.  Given what you've described of the networking the other two rules should be unused, but if they aren't then they probably aren't doing what you want either.  Are any packets being accepted by the other two rules while you are waiting for a nameserver response?  Use 'ipchains -L -xvn' to see packet counts.
0
 
LVL 1

Author Comment

by:pucko
ID: 1587872
Yes... it shall be 10.0.0.4. And It doesn't matter if I remove the other rules.

and ipchains -L -xvn gives:

Chain input (policy ACCEPT: 404 packets, 42832 bytes):
    pkts      bytes target     prot opt    tosa tosx  ifname     mark       outsize  source                destination           ports
    1811     277759 ACCEPT     all  ------ 0xFF 0x00  eth0                           0.0.0.0/0             0.0.0.0/0             n/a
      60       7404 ACCEPT     all  ------ 0xFF 0x00  lo                             0.0.0.0/0             0.0.0.0/0             n/a
       0          0 DENY       tcp  ----l- 0xFF 0x00  eth1                           0.0.0.0/0             0.0.0.0/0             * ->   1433
       0          0 DENY       udp  ----l- 0xFF 0x00  eth1                           0.0.0.0/0             0.0.0.0/0             * ->   1433
       0          0 DENY       tcp  ----l- 0xFF 0x00  eth1                           0.0.0.0/0             0.0.0.0/0             * ->   2049
       0          0 DENY       udp  ----l- 0xFF 0x00  eth1                           0.0.0.0/0             0.0.0.0/0             * ->   2049
       0          0 DENY       tcp  ----l- 0xFF 0x00  eth1                           0.0.0.0/0             0.0.0.0/0             * ->   5432
       0          0 DENY       udp  ----l- 0xFF 0x00  eth1                           0.0.0.0/0             0.0.0.0/0             * ->   5432
     437     143262 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   1023:65535
       0          0 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   20
       0          0 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   21
      28       1120 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   22
       0          0 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   53
       0          0 ACCEPT     udp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   53
     110       4400 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   80
       0          0 ACCEPT     icmp ------ 0xFF 0x00  *                              10.0.0.0/24           0.0.0.0/0             8 ->   *
    1336      68560 ACCEPT     icmp ------ 0xFF 0x00  eth1                           0.0.0.0/0             0.0.0.0/0             * ->   *
       0          0 ACCEPT     icmp ------ 0xFF 0x00  eth0                           0.0.0.0/0             0.0.0.0/0             * ->   *
       0          0 ACCEPT     icmp ------ 0xFF 0x00  *                              130.236.233.202       0.0.0.0/0             8 ->   *
       0          0 REJECT     icmp ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             8 ->   *
       2         88 ACCEPT     tcp  -y---- 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:80
       0          0 ACCEPT     tcp  -y---- 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:20
       0          0 ACCEPT     tcp  -y---- 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:21
       0          0 ACCEPT     tcp  -y---- 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:22
       0          0 ACCEPT     tcp  -y---- 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:25
       0          0 ACCEPT     tcp  -y---- 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:137
       0          0 ACCEPT     tcp  -y---- 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:138
       4        176 ACCEPT     tcp  -y---- 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:139
       0          0 ACCEPT     tcp  -y---- 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:113
       0          0 ACCEPT     tcp  -y---- 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:512
       0          0 ACCEPT     tcp  -y---- 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:8000
       0          0 ACCEPT     tcp  -y---- 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:8020
       0          0 ACCEPT     tcp  -y---- 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:8021
       0          0 ACCEPT     tcp  -y---- 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:8022
       7        728 REJECT     all  ----l- 0xFF 0x00  *                              130.236.233.145       0.0.0.0/0             n/a
      13       3276 REJECT     all  ----l- 0xFF 0x00  *                              130.236.235.58        0.0.0.0/0             n/a
      13       3172 REJECT     all  ----l- 0xFF 0x00  *                              130.236.235.110       0.0.0.0/0             n/a
       0          0 REJECT     tcp  -y---- 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:1024
       0          0 ACCEPT     udp  ------ 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:53
      87      10530 ACCEPT     udp  ------ 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:4000
      23        920 ACCEPT     udp  ------ 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:26000
  301573   17468266 ACCEPT     udp  ------ 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:27500
      16       3364 ACCEPT     udp  ------ 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:28000
       0          0 ACCEPT     udp  ------ 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   0:29000
      34       3578 REJECT     udp  ------ 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   *
       0          0 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   22
       0          0 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   20
       0          0 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   21
       0          0 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   80
     118     137768 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   25
       0          0 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   137
       0          0 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   138
       0          0 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   139
       0          0 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   113
       0          0 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   512
       0          0 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   8000
       0          0 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   8020
       0          0 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   8021
       0          0 ACCEPT     tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   8022
       0          0 ACCEPT     udp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   27500
       0          0 ACCEPT     udp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   26000
       0          0 ACCEPT     udp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   28000
       0          0 ACCEPT     udp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   53
       0          0 DENY       tcp  -y---- 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   *
   73907   15134699 DENY       udp  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             * ->   *
Chain forward (policy ACCEPT: 9 packets, 2075 bytes):
    pkts      bytes target     prot opt    tosa tosx  ifname     mark       outsize  source                destination           ports
       0          0 ACCEPT     all  ------ 0xFF 0x00  *                              10.0.0.0/24           10.0.0.0/24           n/a
       0          0 ACCEPT     all  ------ 0xFF 0x00  *                              130.236.A.B       0.0.0.0/0             n/a
     127      22625 MASQ       all  ------ 0xFF 0x00  *                              10.0.0.0/24           0.0.0.0/0             n/a
       0          0 MASQ       all  ------ 0xFF 0x00  *                              10.0.0.0/24           0.0.0.0/0             n/a
       0          0 DENY       all  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             n/a
Chain output (policy ACCEPT: 132 packets, 16707 bytes):
    pkts      bytes target     prot opt    tosa tosx  ifname     mark       outsize  source                destination           ports
    2153     230822 ACCEPT     all  ------ 0xFF 0x00  eth0                           0.0.0.0/0             0.0.0.0/0             n/a
      55       6395 -          tcp  ------ 0x01 0x10  *                              0.0.0.0/0             0.0.0.0/0             * ->   80
       0          0 -          tcp  ------ 0x01 0x10  *                              0.0.0.0/0             0.0.0.0/0             * ->   21
       0          0 -          tcp  ------ 0x01 0x08  *                              0.0.0.0/0             0.0.0.0/0             * ->   20
      64      10198 ACCEPT     icmp ------ 0xFF 0x00  eth1                           0.0.0.0/0             0.0.0.0/0             * ->   *
       0          0 ACCEPT     icmp ------ 0xFF 0x00  eth0                           0.0.0.0/0             0.0.0.0/0             * ->   *
  250057   31385006 ACCEPT     all  ------ 0xFF 0x00  *                              0.0.0.0/0             0.0.0.0/0             n/a

0
 
LVL 1

Expert Comment

by:zblaxell
ID: 1587873
You are REJECTing packets to ports 61000:65535 on input.  You need those ports for masquerade replies to work (they can't be used for anything else).
0
 
LVL 1

Expert Comment

by:zblaxell
ID: 1587874
This line:

      34       3578 REJECT     udp  ------ 0xFF 0x00  *                              0.0.0.0/0             130.236.A.B       * ->   *

To find out if this is the problem, try doing a few name lookups with "ping" and see if the number "34" increases.
0
 
LVL 1

Author Comment

by:pucko
ID: 1587875
xblaxell. It seems that you know whats wrong. If I remove all of my firewalls rules it seems to work. Now the problem is that I cant find which to remove. I still wan't a firewall. I increased the points from 50 to 250 points in hope that you can give me some comment about my rules. Some of those are stupid I think.
Which can I remove?
And do you have any idea why I cant use ssh to some places if I uncomment the last rule.
My rules:
#!/bin/sh

echo -n "Starting Firewall"  

echo 1 > /proc/sys/net/ipv4/ip_forward  
IPCHAINS="/sbin/ipchains"


$IPCHAINS -F input
$IPCHAINS -F output
$IPCHAINS -F forward

INTERNALIF="eth0"
INTERNALNET="10.0.0.0/24"
INTERNALIP="10.0.0.2"
#

EXTERNALIF="eth1"
EXTERNALNET="0.0.0.0/0"
EXTERNALIP="130.236.A.B"
#
## Allow all connections on the internal interface
#
$IPCHAINS -A input -i $INTERNALIF -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A output -i $INTERNALIF -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT

#
#
## IP Masq
#
## dont masq internal-internal traffic
#$IPCHAINS -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT
#
## dont masq external interface direct
#$IPCHAINS -A forward -s $EXTERNALIP -d 0/0 -j ACCEPT
#
## masquerade all internal IP's going outside
$IPCHAINS -A forward -s $INTERNALNET -d 0/0 -j MASQ

#

$IPCHAINS -A output -p tcp -d 0/0 www -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 ftp -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08

$IPCHAINS -A input -i $EXTERNALIF -p tcp -s 0/0 -d 0/0 1433 -l -j DENY
$IPCHAINS -A input -i $EXTERNALIF -p udp -s 0/0 -d 0/0 1433 -l -j DENY
$IPCHAINS -A input -i $EXTERNALIF -p tcp -s 0/0 -d 0/0 2049 -l -j DENY
$IPCHAINS -A input -i $EXTERNALIF -p udp -s 0/0 -d 0/0 2049 -l -j DENY
$IPCHAINS -A input -i $EXTERNALIF -p tcp -s 0/0 -d 0/0 5432 -l -j DENY
$IPCHAINS -A input -i $EXTERNALIF -p udp -s 0/0 -d 0/0 5432 -l -j DENY
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 1023:65535 -j ACCEPT

$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 20 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 21 -j ACCEPT    
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 22 -j ACCEPT  
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 53 -j ACCEPT
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 53 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 80 -j ACCEPT  


/sbin/ipchains -A input -s  $INTERNALNET echo-request -p icmp -j ACCEPT



$IPCHAINS -A input -i $EXTERNALIF -p icmp -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A input -i $INTERNALIF -p icmp -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A output -i $EXTERNALIF -p icmp -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A output -i $INTERNALIF -p icmp -s 0/0 -d 0/0 -j ACCEPT

/sbin/ipchains -A input -s 130.236.E.F/32 echo-request -p icmp -j ACCEPT

/sbin/ipchains -A input -s 0/0 echo-request -p icmp -j REJECT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :80 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :20 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :21 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :22 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :25 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :137 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :138 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :139 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :113 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :512 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :8000 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :8020 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :8021 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :8022 -j ACCEPT

#### Reject some idiots! ###################
/sbin/ipchains -A input -s 130.236.233.145/32 -d 0/0 -l -j REJECT
/sbin/ipchains -A input -s 130.236.235.58/32 -d 0/0 -l -j REJECT
/sbin/ipchains -A input -s 130.236.235.110/32 -d 0/0 -l -j REJECT

#########################
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :1024 -j REJECT
/sbin/ipchains -A input -p UDP -d $EXTERNALIP/32 :53 -j ACCEPT
/sbin/ipchains -A input -p UDP -d $EXTERNALIP/32 :4000 -j ACCEPT
/sbin/ipchains -A input -p UDP -d $EXTERNALIP/32 :26000 -j ACCEPT
/sbin/ipchains -A input -p UDP -d $EXTERNALIP/32 :27500 -j ACCEPT
/sbin/ipchains -A input -p UDP -d $EXTERNALIP/32 :28000 -j ACCEPT
/sbin/ipchains -A input -p UDP -d $EXTERNALIP/32 :29000 -j ACCEPT
/sbin/ipchains -A input -p UDP -d $EXTERNALIP/32 -j REJECT




/sbin/ipchains -A forward -j MASQ -s 10.0.0.4/24 -d 0.0.0.0/0


/usr/sbin/ipmasqadm autofw -A -p tcp 8000 10.0.0.4:80    
/usr/sbin/ipmasqadm autofw -A -p tcp 8020 10.0.0.4:20  

$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 22 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 20 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 21 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 80 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 25 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 137 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 138 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 139 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 113 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 512 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 8000 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 8020 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 8021 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 8022 -j ACCEPT
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 27500 -j ACCEPT
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 26000 -j ACCEPT
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 28000 -j ACCEPT
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 53 -j ACCEPT
$IPCHAINS -A input -p tcp -y -d 130.236.A.B/32 -j DENY
$IPCHAINS -A input -p udp -j DENY
$IPCHAINS -A output -j ACCEPT
$IPCHAINS -A forward -j DENY
#$IPCHAINS -A input -p  -j DENY



0
 
LVL 1

Accepted Solution

by:
zblaxell earned 250 total points
ID: 1587876
Well, you had the right idea (rejecting everything in UDP in one firewall rule).  You actually need to add a rule.

The rule I mentioned (

/sbin/ipchains -A input -p UDP -d $EXTERNALIP/32 -j REJECT

) is rejecting the packets.  You need to add this line before that one (accept 61000:65095, the UDP masquerade ports):

/sbin/ipchains -A input -p UDP -d $EXTERNALIP/32 61000:65095 -j ACCEPT

You have another rule that accepts TCP packets on 1023:65535, so you did TCP masquerading successfully by sheer luck.

IP masquerade rewrites packets so that they appear to come from 61000:65095 on the machine doing the masquerade (4096 ports starting at 61000 is 61000-65095).  When a server on the Internet replies to one of those ports the masquerade looks up the port number used and rewrites the packet as a reply.

You will notice that (among other things) you can't bind a server to port 61000:65095 on a machine with masquerade enabled.  Those ports are entirely reserved for use by the masquerade code.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Author Comment

by:pucko
ID: 1587877
Thanks. You don't have any idea Why ssh don't work if I add

$IPCHAINS -A input -p  -j DENY

at the end of the file?
0
 
LVL 1

Expert Comment

by:zblaxell
ID: 1587878
Your rules list is very repetitive and confusing.  At the start of the file there is an ACCEPT rule for tcp -s 0/0 -d 0/0, which should accept all TCP headed anywhere.  How ssh 'escapes' to the last line of the file (where it can be REJECTed by that last command) I don't know.

The line:  $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 1023:65535 -j ACCEPT

and the six lines below it should be enabling ssh access from and to anywhere.

Where are you trying to ssh from and to?  To the firewall server or through it?  What do you get from 'ssh -v'?
0
 
LVL 1

Author Comment

by:pucko
ID: 1587879
I get: this + how to use it.
SSH Version 1.2.26 [i586-unknown-linux], protocol version 1.5.
Standard version.  Does not use RSAREF.    

I'm tryingt to ssh to another machine from the firewall..                              
0
 
LVL 1

Expert Comment

by:zblaxell
ID: 1587880
Uhhh...I meant what happens when you use 'ssh -v' instead of 'ssh', as in 'ssh -v user@hostname'.  It usually provides some information about what is going on, e.g. is it hanging doing DNS, waiting for an ident, or trying to bind to a low-numbered port...

Oh yeah.  ssh will bind to a low numbered (below 1024) TCP port on the client side if it detects that it may have to use RhostsAuthentication.  If you disable RhostsAuthentication or remove the setuid-root bit on ssh then ssh won't use low-numbered ports.  Your ipchains rules don't allow connections from your firewall to outside machines on low-numbered ports (the 1023: half of 1023:65535).  You could reduce the 1023 to 900 or so.

If you just want to prevent people from connecting to your machine, but want to enable outgoing connections, use rules with the '-y' option to enable all the TCP connections you wish to allow, then use 'ipchains -A input -p tcp -s 0/0 -d 0/0 -j REJECT' to deny all other connections.

Here is my web server's firewall rules list, with IP addresses deleted to protect the innocent.  It explicitly verifies the source and destination of all addresses on each network interface, allows ssh, telnet, FTP, mail, ident, https, finger, and http to the outside world, 'ping' and certain ICMP messages (3 and 11; don't remember what they're for the moment) and all UDP access.

I check all IP addresses to make sure they have sensible source and destination addresses.  By default nothing is permitted, and services which I actually use are explicitly permitted.  Anything that is not permitted is logged to the syslog using '-l' - apart from being useful for debugging, this can alert me to people trying to break into my machine.  However, my uplink generates a heck of a lot of noise on my eth1 that does not have my IP address, so I silently discard all such packets (12 megabytes a day).  I also count all my own network traffic so I can verify my service provider's invoices.

#!/bin/sh -x
PATH=/sbin:/usr/bin:/bin

# Default timeouts
ipchains -M -S 3600 3600 3600

# Read config from Red Hat.  eth0 is internal,
# eth1 is external.

 /etc/sysconfig/network-scripts/ifcfg-eth0
INSIDE=$IPADDR
INSIDE_DEVICE=$DEVICE

 /etc/sysconfig/network-scripts/ifcfg-eth1

# Our internal network addresses

PRIVATE_NETWORK=99.0.0.0/8
FOOBAR_NETWORK=98.0.0.0/8

# Default policy is deny, empty rule chains

ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
ipchains -F

# Ignore noise on uplink device.
ipchains -A input -i $DEVICE -d ! $IPADDR -j DENY

# Count SYN packets, total packets, packets on each interface
ipchains -A input -p tcp -y -l
ipchains -A output -p tcp -y -l
ipchains -A input
ipchains -A output
ipchains -A input -i lo
ipchains -A output -i lo
ipchains -A input -i eth0
ipchains -A output -i eth0
ipchains -A input -i eth1
ipchains -A output -i eth1

# FOOBAR network should not be accessible from web server.
# This is enforced on a firewall connected to FOOBAR,
# and also enforced here for redundancy.
ipchains -A input -s $FOOBAR_NETWORK -b -j DENY -l
ipchains -A output -s $FOOBAR_NETWORK -b -j DENY -l

# Allow only localhost and local IP addresses on loopback.
# Localnet addresses should not appear anywhere else.
ipchains -A input -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
ipchains -A input -i lo -s $IPADDR -d $IPADDR -j ACCEPT
ipchains -A input -i lo -s $INSIDE -d $INSIDE -j ACCEPT
ipchains -A input -i lo -j DENY -l
ipchains -A input -s 127.0.0.0/8 -d 127.0.0.0/8 -j DENY -l

# Ditto for output.
ipchains -A output -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
ipchains -A output -i lo -s $IPADDR -d $IPADDR -j ACCEPT
ipchains -A output -i lo -s $INSIDE -d $INSIDE -j ACCEPT
ipchains -A output -i lo -j DENY -l
ipchains -A output -s 127.0.0.0/8 -d 127.0.0.0/8 -j DENY -l

# Internal network addresses only on internal side
ipchains -A input -i $INSIDE_DEVICE -s $PRIVATE_NETWORK -j ACCEPT
ipchains -A output -i $INSIDE_DEVICE -d $PRIVATE_NETWORK -j ACCEPT

# Internal network addresses on internal network only.
ipchains -A input -s $PRIVATE_NETWORK -j DENY -l -b
ipchains -A output -s $PRIVATE_NETWORK -j DENY -l -b

# Allow traffic from outside world.
# TCP ports for local clients are defined in /proc/sys/net/ipv4/ip_local_port_range and are 1024:4999 by default.
# 61000:65095 are for masquerade.
# A.B.C.D etc are our DNS secondaries which need to use TCP for DNS.  All others can use UDP.
# ICMP 0 and 8 are ping, 3 and 11 are TCP and UDP messages
ipchains -A input -i $DEVICE -d $IPADDR 20:25 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 79:80 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 113 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 443 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 1024:4999 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 61000:65095 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -s A.B.C.D -d $IPADDR 53 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -s E.F.G.H -d $IPADDR 53 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -s I.J.K.L -d $IPADDR 53 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -s M.N.O.P -d $IPADDR 53 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 53 -p udp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 123 -p udp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 1024:65535 -p udp -j ACCEPT
ipchains -A input -i $DEVICE -s 0/0 0 -d $IPADDR -p icmp -j ACCEPT
ipchains -A input -i $DEVICE -s 0/0 3 -d $IPADDR -p icmp -j ACCEPT
ipchains -A input -i $DEVICE -s 0/0 8 -d $IPADDR -p icmp -j ACCEPT
ipchains -A input -i $DEVICE -s 0/0 11 -d $IPADDR -p icmp -j ACCEPT

# No control over outbound traffic
ipchains -A output -i $DEVICE -s $IPADDR -j ACCEPT

# Not a gateway onto private network.  This stops an IP spoofing
# attack if it somehow gets through all the filtering above.
ipchains -A forward -s $PRIVATE_NETWORK -d $PRIVATE_NETWORK -j DENY -l
# Forward and masquerade private network to the world
ipchains -A forward -s $PRIVATE_NETWORK -j MASQ

# Report any other packets that are denied.
# Useful for debugging (-l logs these to the kernel syslog)
ipchains -A input -j DENY -l
ipchains -A output -j DENY -l
ipchains -A forward -j DENY -l

0
 
LVL 1

Author Comment

by:pucko
ID: 1587881
How can I remove the set uid bit on ssh???
0
 
LVL 1

Author Comment

by:pucko
ID: 1587882
I tried chmod -s ssh but I get:a201.ryd.student.liu.se: Reading configuration data /etc/ssh_config
pucko: ssh_connect: getuid 0 geteuid 0 anon 0
pucko: Connecting to tintin [X..Z.V] port 22.
pucko: Allocated local port 1022.

0
 
LVL 1

Author Comment

by:pucko
ID: 1587883
Sorry.. was trying as root...
Thanks for all help!!!!
0
 
LVL 1

Author Comment

by:pucko
ID: 1587884
I used your file and modified it. I have som problem. It seems like dns does not work and icq doesn't work either. I'll add this as a new question for you and name it Question for zblaxell so you can get some more points.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Centos Rescue and NFS Share 4 61
Install dhcp server on Ubuntu server 4 65
Open BDS Pf 3 44
Redirect mail server from IP to IP 2 75
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now