[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 385
  • Last Modified:

ipchains and IRC

OK, I *finally* got my Linux box on the network, got ipchains working so my local Windoze machines can get to the network, and buttoned up all the ports I can think of.

Now the question is, how do I tell ipchains to allow connections for DCC and ident?  Seems like both of these have the same problem - it's an (almost) unsolicited connection to an inside the firewall machine.
0
jjmcd
Asked:
jjmcd
  • 6
  • 3
  • 2
  • +3
1 Solution
 
jlevieCommented:
Well, in this context it isn't an "unsolicited" connection. You do something from an inside system that causes the remote to request your "ident" daemon to respond. This in turn means that the remote has to open a connection to your system to talk to the ident daemon. There are a number of other applications that do similar things, needing to open inbound connections on ports/protocols other than those ports/protocols already opend for the outbound connection.

"ident" is a TCP protocol on port 113, so you'd add a rule to ipchains that allows any host to connect inbound on that protocol & port. Something (I'm doing this from memory, so check the man pages and/or "IPChains How-To") like a "-p TCP -s 0.0.0.0 ident -j ACCEPT" rule.

You'll need similar rules for any other service that need to onpen an inbound connection.
0
 
jjmcdAuthor Commented:
Easy enough to accept inbounds on 113, but then they need to be passed back to the local host which initiated the original connection.  That's the part that's got me stumped.
0
 
jlevieCommented:
Oh, it wasn't apparent to me from the question that you were also running IPMasquerade.

You have to set up port forwarding, which means the the kernel has to have IPPORTFW enabled at compile time. Then you add a rule that forwards the inbound request on the port of interest to an internal host. Exactly what the rule looks like depends on how everything is set up and what kernel you have. For instance, if the external IP is a static address and you're using a 2.2.x kernel you'd have something like:

/usr/sbin/ipmasqadm portfw -f
/usr/sbin/ipmasqadm portfw -a -P tcp -L ext-IP-addr 113 -R inside-TP-addr 113

in your firewall init script.

There's a good discussion of Forwarding in the "IPMasquerade How-To" (www.redhat.com/mirrors/LDP/HOWTO/IP-Masquerade-HOWTO-6.html) and more information in section 10 & 11 of the Trinity-OS notes (www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri). You really need to look at those docs as there can be quite a bit of variation in what the commands need to be.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
MagicianCommented:
I don't know if this actually works, but the firewall setup was too complicated for me to do on my own.

http://linux-firewall-tools.com/linux/firewall/index.html

This will write the script for you, and it has an option for IRC.

Follow the directions, copy and paste the text in a text file, and install the firewall.

Do this only from the Linux box!!!  The Wintel boxes will make the text formatting funny (not work correctly) in the Linux box.

Hope this helps.
0
 
NickCommented:
**Phew**  I got this all running by luck it seems.  Keep it up Guys, I am learning what I done!

Nick
0
 
jjmcdAuthor Commented:
I'll just post a quick note to let you know I'm following, but it looks like it will be the weekend before I do much.  jlevie's references look promising, but I couldn't find a text or PostScript version and wading through the HTML is slow, so I didn't get too far there.  I couldn't find the IP Masquerading HOWTO on my CD and the Firewall and ipchains HOWTOs weren't all that helpful in this regard.  I'm continuing to spend my evenings buttoning up holes that my log exposes.  Well, not so much buttoning up as eliminating noise from the log so I can focus on the many suspicious entries.
0
 
ohad23Commented:
hi,
do use the ip_maq_irc kernel module ???
0
 
BlackSunSetCommented:
Whell I been doing lots of firewall setups so if you want to have good security rules with ipchains then use this setup, and also make user you have ident server with masq support like mident on the server and all linux client

--Eth0= This is the Network Card with Internet Access (static or dynamic from dhcp server, etc), or other pipeline like ppp0 and coresponding ip with it.

IPCHAINS -A input -p tcp -i eth0 -s 0/0 1024:65535 -d (IP of Eth0)/32 113 -j ACCEPT
IPCHAINS -A input -p tcp -i eth0 -s 0/0 113 -d 0/0 1024:65535 -j ACCEPT
IPCHAINS -A output -p tcp -i eth0 -s (IP of Eth0)/32 1024:65535 -d 0/0 113 -j ACCEPT
IPCHAINS -A output -p tcp -i eth0 -s (IP of Eth0)/32 113 -d 0/0 1024:65535 -j ACCEPT

For IRC DCC use ip_masq_irc module like Nick mentioned above
insmod ip_masq_irc ports=6662,6666,6667,6668,1024,1025,......
0
 
jjmcdAuthor Commented:
BlackSunSet - I'm only rejecting this for the time being to unlock the question.  You may have the answer, but I had hoped to avoid installing gcc and going through all that hassle, but it may be the right answer - I'll continue pursuing it.

A few questions about your ipchains lines...

Obviously, I need a lot more for the normal services, but I do have the basics pretty well working.

How does mident know what win box to forward the ident request to?  I've seen some counsel against opening 113 - I assume mident isn't willing to give up much?  (I haven't studied the code yet.)  Once I face the hassle of downloading and installing the compiler I'll probably just compile my own ident spoofer which will make this question moot, but in case I don't....

I have a similar issue with the DCC.  I'm successfully masquerading my Win boxes to the outside which is fine for outgoing connections.  BUT, for DCC, someone outside will make an inbound connection.  How does it know which win box to connect to?
0
 
jjmcdAuthor Commented:
Magician (and other readers).  I did try the web page, and it produces a very nice looking script that works about 90%.  However, it doesn't deal with the IRC nasties of ident and inbound DCC.  One thing it does, and I'm not so sure is a good idea, is limits outbound connects.  If I had a PIII on the LAN I may think differently about that, however :-))

jlevie - still wading theough the dox.  That is obviously the most time consuming of the suggestions but probably the one most likely to bear fruit.
0
 
jjmcdAuthor Commented:
OK, I have the mident working which has solved the one problem, so now I need to focus on DCC - and BlackSunset - I answered my own question about midentd.

It's already Sunday, and my calendar for the coming week looks pretty bad, so I won't likely make much progress until next weekend, but I'm still looking for ideas on DCC.

What happens is this - if I try to initiate a DCC, my client sends my IP to the other client via the IRC server.  He receives my request and initiates a connection directly back to me on port 13xx.  The firewall receives this connect, but has no idea which LAN client to blame it on.  Any ideas?
0
 
jjmcdAuthor Commented:
Black Sunset - please repost your answer.  I'm apparently not going to learn how to fix DCC but you at least got me squared away with midentd &c so you get da points
0
 
BlackSunSetCommented:
Whell I been doing lots of firewall setups so if you want to have good security rules with ipchains then use
                   this setup, and also make user you have ident server with masq support like mident on the server and all
                   linux client

                   --Eth0= This is the Network Card with Internet Access (static or dynamic from dhcp server, etc), or other
                   pipeline like ppp0 and coresponding ip with it.

                   IPCHAINS -A input -p tcp -i eth0 -s 0/0 1024:65535 -d (IP of Eth0)/32 113 -j ACCEPT
                   IPCHAINS -A input -p tcp -i eth0 -s 0/0 113 -d 0/0 1024:65535 -j ACCEPT
                   IPCHAINS -A output -p tcp -i eth0 -s (IP of Eth0)/32 1024:65535 -d 0/0 113 -j ACCEPT
                   IPCHAINS -A output -p tcp -i eth0 -s (IP of Eth0)/32 113 -d 0/0 1024:65535 -j ACCEPT

                   For IRC DCC use ip_masq_irc module like Nick mentioned above
                   insmod ip_masq_irc ports=6662,6666,6667,6668,1024,1025,......


for future help icq me 314701
Bye
0
 
BlackSunSetCommented:
some point be good, haha
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 6
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now