jjmcd
asked on
ipchains and IRC
OK, I *finally* got my Linux box on the network, got ipchains working so my local Windoze machines can get to the network, and buttoned up all the ports I can think of.
Now the question is, how do I tell ipchains to allow connections for DCC and ident? Seems like both of these have the same problem - it's an (almost) unsolicited connection to an inside the firewall machine.
Now the question is, how do I tell ipchains to allow connections for DCC and ident? Seems like both of these have the same problem - it's an (almost) unsolicited connection to an inside the firewall machine.
ASKER
Easy enough to accept inbounds on 113, but then they need to be passed back to the local host which initiated the original connection. That's the part that's got me stumped.
Oh, it wasn't apparent to me from the question that you were also running IPMasquerade.
You have to set up port forwarding, which means the the kernel has to have IPPORTFW enabled at compile time. Then you add a rule that forwards the inbound request on the port of interest to an internal host. Exactly what the rule looks like depends on how everything is set up and what kernel you have. For instance, if the external IP is a static address and you're using a 2.2.x kernel you'd have something like:
/usr/sbin/ipmasqadm portfw -f
/usr/sbin/ipmasqadm portfw -a -P tcp -L ext-IP-addr 113 -R inside-TP-addr 113
in your firewall init script.
There's a good discussion of Forwarding in the "IPMasquerade How-To" (www.redhat.com/mirrors/LDP/HOWTO/IP-Masquerade-HOWTO-6.html) and more information in section 10 & 11 of the Trinity-OS notes (www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri). You really need to look at those docs as there can be quite a bit of variation in what the commands need to be.
You have to set up port forwarding, which means the the kernel has to have IPPORTFW enabled at compile time. Then you add a rule that forwards the inbound request on the port of interest to an internal host. Exactly what the rule looks like depends on how everything is set up and what kernel you have. For instance, if the external IP is a static address and you're using a 2.2.x kernel you'd have something like:
/usr/sbin/ipmasqadm portfw -f
/usr/sbin/ipmasqadm portfw -a -P tcp -L ext-IP-addr 113 -R inside-TP-addr 113
in your firewall init script.
There's a good discussion of Forwarding in the "IPMasquerade How-To" (www.redhat.com/mirrors/LDP/HOWTO/IP-Masquerade-HOWTO-6.html) and more information in section 10 & 11 of the Trinity-OS notes (www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri). You really need to look at those docs as there can be quite a bit of variation in what the commands need to be.
I don't know if this actually works, but the firewall setup was too complicated for me to do on my own.
http://linux-firewall-tools.com/linux/firewall/index.html
This will write the script for you, and it has an option for IRC.
Follow the directions, copy and paste the text in a text file, and install the firewall.
Do this only from the Linux box!!! The Wintel boxes will make the text formatting funny (not work correctly) in the Linux box.
Hope this helps.
http://linux-firewall-tools.com/linux/firewall/index.html
This will write the script for you, and it has an option for IRC.
Follow the directions, copy and paste the text in a text file, and install the firewall.
Do this only from the Linux box!!! The Wintel boxes will make the text formatting funny (not work correctly) in the Linux box.
Hope this helps.
**Phew** I got this all running by luck it seems. Keep it up Guys, I am learning what I done!
Nick
Nick
ASKER
I'll just post a quick note to let you know I'm following, but it looks like it will be the weekend before I do much. jlevie's references look promising, but I couldn't find a text or PostScript version and wading through the HTML is slow, so I didn't get too far there. I couldn't find the IP Masquerading HOWTO on my CD and the Firewall and ipchains HOWTOs weren't all that helpful in this regard. I'm continuing to spend my evenings buttoning up holes that my log exposes. Well, not so much buttoning up as eliminating noise from the log so I can focus on the many suspicious entries.
hi,
do use the ip_maq_irc kernel module ???
do use the ip_maq_irc kernel module ???
Whell I been doing lots of firewall setups so if you want to have good security rules with ipchains then use this setup, and also make user you have ident server with masq support like mident on the server and all linux client
--Eth0= This is the Network Card with Internet Access (static or dynamic from dhcp server, etc), or other pipeline like ppp0 and coresponding ip with it.
IPCHAINS -A input -p tcp -i eth0 -s 0/0 1024:65535 -d (IP of Eth0)/32 113 -j ACCEPT
IPCHAINS -A input -p tcp -i eth0 -s 0/0 113 -d 0/0 1024:65535 -j ACCEPT
IPCHAINS -A output -p tcp -i eth0 -s (IP of Eth0)/32 1024:65535 -d 0/0 113 -j ACCEPT
IPCHAINS -A output -p tcp -i eth0 -s (IP of Eth0)/32 113 -d 0/0 1024:65535 -j ACCEPT
For IRC DCC use ip_masq_irc module like Nick mentioned above
insmod ip_masq_irc ports=6662,6666,6667,6668,
--Eth0= This is the Network Card with Internet Access (static or dynamic from dhcp server, etc), or other pipeline like ppp0 and coresponding ip with it.
IPCHAINS -A input -p tcp -i eth0 -s 0/0 1024:65535 -d (IP of Eth0)/32 113 -j ACCEPT
IPCHAINS -A input -p tcp -i eth0 -s 0/0 113 -d 0/0 1024:65535 -j ACCEPT
IPCHAINS -A output -p tcp -i eth0 -s (IP of Eth0)/32 1024:65535 -d 0/0 113 -j ACCEPT
IPCHAINS -A output -p tcp -i eth0 -s (IP of Eth0)/32 113 -d 0/0 1024:65535 -j ACCEPT
For IRC DCC use ip_masq_irc module like Nick mentioned above
insmod ip_masq_irc ports=6662,6666,6667,6668,
ASKER
BlackSunSet - I'm only rejecting this for the time being to unlock the question. You may have the answer, but I had hoped to avoid installing gcc and going through all that hassle, but it may be the right answer - I'll continue pursuing it.
A few questions about your ipchains lines...
Obviously, I need a lot more for the normal services, but I do have the basics pretty well working.
How does mident know what win box to forward the ident request to? I've seen some counsel against opening 113 - I assume mident isn't willing to give up much? (I haven't studied the code yet.) Once I face the hassle of downloading and installing the compiler I'll probably just compile my own ident spoofer which will make this question moot, but in case I don't....
I have a similar issue with the DCC. I'm successfully masquerading my Win boxes to the outside which is fine for outgoing connections. BUT, for DCC, someone outside will make an inbound connection. How does it know which win box to connect to?
A few questions about your ipchains lines...
Obviously, I need a lot more for the normal services, but I do have the basics pretty well working.
How does mident know what win box to forward the ident request to? I've seen some counsel against opening 113 - I assume mident isn't willing to give up much? (I haven't studied the code yet.) Once I face the hassle of downloading and installing the compiler I'll probably just compile my own ident spoofer which will make this question moot, but in case I don't....
I have a similar issue with the DCC. I'm successfully masquerading my Win boxes to the outside which is fine for outgoing connections. BUT, for DCC, someone outside will make an inbound connection. How does it know which win box to connect to?
ASKER
Magician (and other readers). I did try the web page, and it produces a very nice looking script that works about 90%. However, it doesn't deal with the IRC nasties of ident and inbound DCC. One thing it does, and I'm not so sure is a good idea, is limits outbound connects. If I had a PIII on the LAN I may think differently about that, however :-))
jlevie - still wading theough the dox. That is obviously the most time consuming of the suggestions but probably the one most likely to bear fruit.
jlevie - still wading theough the dox. That is obviously the most time consuming of the suggestions but probably the one most likely to bear fruit.
ASKER
OK, I have the mident working which has solved the one problem, so now I need to focus on DCC - and BlackSunset - I answered my own question about midentd.
It's already Sunday, and my calendar for the coming week looks pretty bad, so I won't likely make much progress until next weekend, but I'm still looking for ideas on DCC.
What happens is this - if I try to initiate a DCC, my client sends my IP to the other client via the IRC server. He receives my request and initiates a connection directly back to me on port 13xx. The firewall receives this connect, but has no idea which LAN client to blame it on. Any ideas?
It's already Sunday, and my calendar for the coming week looks pretty bad, so I won't likely make much progress until next weekend, but I'm still looking for ideas on DCC.
What happens is this - if I try to initiate a DCC, my client sends my IP to the other client via the IRC server. He receives my request and initiates a connection directly back to me on port 13xx. The firewall receives this connect, but has no idea which LAN client to blame it on. Any ideas?
ASKER
Black Sunset - please repost your answer. I'm apparently not going to learn how to fix DCC but you at least got me squared away with midentd &c so you get da points
Whell I been doing lots of firewall setups so if you want to have good security rules with ipchains then use
this setup, and also make user you have ident server with masq support like mident on the server and all
linux client
--Eth0= This is the Network Card with Internet Access (static or dynamic from dhcp server, etc), or other
pipeline like ppp0 and coresponding ip with it.
IPCHAINS -A input -p tcp -i eth0 -s 0/0 1024:65535 -d (IP of Eth0)/32 113 -j ACCEPT
IPCHAINS -A input -p tcp -i eth0 -s 0/0 113 -d 0/0 1024:65535 -j ACCEPT
IPCHAINS -A output -p tcp -i eth0 -s (IP of Eth0)/32 1024:65535 -d 0/0 113 -j ACCEPT
IPCHAINS -A output -p tcp -i eth0 -s (IP of Eth0)/32 113 -d 0/0 1024:65535 -j ACCEPT
For IRC DCC use ip_masq_irc module like Nick mentioned above
insmod ip_masq_irc ports=6662,6666,6667,6668,
for future help icq me 314701
Bye
this setup, and also make user you have ident server with masq support like mident on the server and all
linux client
--Eth0= This is the Network Card with Internet Access (static or dynamic from dhcp server, etc), or other
pipeline like ppp0 and coresponding ip with it.
IPCHAINS -A input -p tcp -i eth0 -s 0/0 1024:65535 -d (IP of Eth0)/32 113 -j ACCEPT
IPCHAINS -A input -p tcp -i eth0 -s 0/0 113 -d 0/0 1024:65535 -j ACCEPT
IPCHAINS -A output -p tcp -i eth0 -s (IP of Eth0)/32 1024:65535 -d 0/0 113 -j ACCEPT
IPCHAINS -A output -p tcp -i eth0 -s (IP of Eth0)/32 113 -d 0/0 1024:65535 -j ACCEPT
For IRC DCC use ip_masq_irc module like Nick mentioned above
insmod ip_masq_irc ports=6662,6666,6667,6668,
for future help icq me 314701
Bye
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
"ident" is a TCP protocol on port 113, so you'd add a rule to ipchains that allows any host to connect inbound on that protocol & port. Something (I'm doing this from memory, so check the man pages and/or "IPChains How-To") like a "-p TCP -s 0.0.0.0 ident -j ACCEPT" rule.
You'll need similar rules for any other service that need to onpen an inbound connection.