We help IT Professionals succeed at work.

X and firewall+ipchains

dryzone
dryzone asked
on
I have a firewall running Ipchains with eth1 to the internet and eth0 to my internal network to be secured.
I need to run X on my firewall as I want to use it for system monitoring.
I have all ports closed and masquerade all traffic to the webb.
I cannot manage to shut down X (6000) on eth1 without shutting down Port 6000 on eth0 also. This is a problem since the following IPCHAINS command is supposed to only shut down X availability on eth1. I need to be able to have X working on eth0.

$IPC -A input -p tcp -s 0/0 -d 0/0 6000:6010 -i eth1 -j $STOP -l
$IPC -A input -p udp -s 0/0 -d 0/0 6000:6010 -i eth1 -j $STOP -l

If I run a portscanner against the two networks say 68.67.65.64(eth1) then Port 6000 should be closed, if I run a portascanner against 192.191.190.189(eth0) then I should see X(6000) open.

Is there ANY way I can do this with Ipchains? or do I misunderstand the chain above????

Comment
Watch Question

CERTIFIED EXPERT

Commented:
ipchains -A input -p tcp -i eth1 -s ! 192.191.190.189 6000:6010 -j DROP
# same for udp

Author

Commented:
ahoffmann, do you never sleep or do you follow me around?
I'm getting paranoid.

So you say that this should  close the X-port on eth1 but still allow it to be able to do X-transaction on eth0.
Ill try it and come back to you.

Author

Commented:
ipchains -A input -p tcp -i eth1 -s ! U.V.W.X 6000:6010 -j DROP

I get the following error message:
ipchains: No target by that name

I think that ipchains refer to U.V.W.X my external IP address. I cannot figure out where ipchains looks for the "target" details.  I do not have my external IP address in my /etc/hosts file as I feel it is safer to do so when masquerading the internal network. Maybe it looks in /etc/hosts, I cannot see why it should?
CERTIFIED EXPERT

Commented:
oops, should be DENY instead of DROP, sorry.

Author

Commented:
No ipchains accepts the command but the port remains open.
What I need is, if i run nmap against the external ip @ eth1, it should show port 6000 closed or non existent.
If I run nmap against the internal IP @ eth0 I should get the port 6000 open.
The curious thing is when I run the command as in my problem definition, then port 6000 is closed on both interfaces eth1 and eth0, which is a bit strange.

Author

Commented:
Does anybody think that this is possible at all?
Port 6000 remains open. Their does not seem to be a way to deny a service on one ionterface but not the other.
CERTIFIED EXPERT

Commented:
do you have a rule which accepts before the DENY 6000 rule is checked?

Author

Commented:
Accepts what Port 6000? or Accept e.g.ANY
CERTIFIED EXPERT

Commented:
Accept e.g.ANY
ipchains checks rules in sequence as you see it with
   ipchains -nL
if there is any rule matching, before it comes to the port 6000, the algorithm uses that rule.
You may check by inserting the port 6000 DENY rule as first one.

Author

Commented:
To ahoffmann
I am still looking into this, I had to go to Potsdam for a week so I could not tend to this.
Will look into it this week.
Apologies for the delay.

Author

Commented:
To ahoffmann
I am still looking into this, I had to go to Potsdam for a week so I could not tend to this.
Will look into it this week.
Apologies for the delay.

Author

Commented:
To ahoffman
The easiest I give you the ipchains list (ipchains -L)
Just tell me where to insert the necessary chains as this problem persists.
It is quite strange to me that it is so difficult to deny services on one and allow on the other. Seems that ipchains has never been designed to be "generic" with interfaces. It also has a curious prefernece to eth0..must be internal network for some reason.

Anyway here is the output.


Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     icmp ------  anywhere             200.90.223.0/24       echo-request
ACCEPT     icmp ------  anywhere             200.90.223.0/24       echo-reply
REJECT     udp  ----l-  anywhere             200.90.223.0/24       any ->   33434
REJECT     icmp ----l-  anywhere             200.90.223.0/24       destination-unreachable
REJECT     icmp ----l-  anywhere             200.90.223.0/24       host-unreachable
REJECT     icmp ----l-  anywhere             200.90.223.0/24       timestamp-request
REJECT     icmp ----l-  anywhere             200.90.223.0/24       timestamp-reply
REJECT     icmp ----l-  anywhere             200.90.223.0/24       address-mask-request
REJECT     icmp ----l-  anywhere             200.90.223.0/24       address-mask-reply
REJECT     icmp ----l-  anywhere             200.90.223.0/24       redirect
ACCEPT     icmp ----l-  anywhere             200.90.223.0/24       source-quench
ACCEPT     all  ------  192.168.1.0/24       anywhere              n/a
DENY       all  ------  127.0.0.0/8          200.90.223.0/24       n/a
DENY       all  ------  128.66.0.0/16        200.90.223.0/24       n/a
DENY       all  ------  172.16.0.0/12        200.90.223.0/24       n/a
DENY       all  ------  192.168.0.0/16       200.90.223.0/24       n/a
DENY       all  ------  197.0.0.0/16         200.90.223.0/24       n/a
DENY       all  ------  201.0.0.0/8          200.90.223.0/24       n/a
DENY       tcp  ----l-  anywhere             200.90.223.0/24       any ->   31337
DENY       udp  ----l-  anywhere             200.90.223.0/24       any ->   31337
DENY       tcp  ----l-  anywhere             200.90.223.0/24       any ->   12345:12346
DENY       udp  ----l-  anywhere             200.90.223.0/24       any ->   12345:12346
DENY       tcp  ----l-  anywhere             200.90.223.0/24       any ->   ingreslock
DENY       tcp  ----l-  anywhere             200.90.223.0/24       any ->   27665
DENY       udp  ----l-  anywhere             200.90.223.0/24       any ->   27444
DENY       udp  ----l-  anywhere             200.90.223.0/24       any ->   31335
DENY       all  ----l-  BASE-ADDRESS.MCAST.NET/8 anywhere              n/a
DENY       all  ----l-  anywhere             BASE-ADDRESS.MCAST.NET/8  n/a
DENY       tcp  ----l-  anywhere             anywhere              any ->   2049
DENY       udp  ----l-  anywhere             anywhere              any ->   nfsd
REJECT     tcp  ----l-  anywhere             anywhere              any ->   netbios-ns:netbios-ssn
REJECT     udp  ----l-  anywhere             anywhere              any ->   netbios-ns:netbios-ssn
REJECT     tcp  ----l-  anywhere             anywhere              any ->   445
REJECT     udp  ----l-  anywhere             anywhere              any ->   445
ACCEPT     tcp  !y----  anywhere             200.90.223.0/24       any ->   1023:65535
ACCEPT     udp  ------  anywhere             200.90.223.0/24       any ->   1023:65535
DENY       all  ----l-  anywhere             anywhere              n/a
Chain forward (policy DENY):
target     prot opt     source                destination           ports
ACCEPT     all  ------  192.168.1.0/24       192.168.1.0/24        n/a
MASQ       all  ------  192.168.1.0/24       anywhere              n/a
Chain output (policy ACCEPT):
target     prot opt     source                destination           ports
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     all  ------  192.168.1.0/24       anywhere              n/a
ACCEPT     icmp ------  192.168.1.0/24       anywhere              any ->   any
ACCEPT     icmp ------  200.90.223.0/24      anywhere              any ->   any
ACCEPT     all  ------  anywhere             anywhere              n/a















CERTIFIED EXPERT

Commented:
this listing is not very helpful, unfortunately
Could you please post result of:
    ipchain -nL -v

Author

Commented:


Chain input (policy ACCEPT: 33 packets, 2089 bytes):
 pkts bytes target     prot opt    tosa tosx  ifname     mark       outsize  source                destination           ports
  12M  528M ACCEPT     all  ------ 0xFF 0x00  lo                             0.0.0.0/0            0.0.0.0/0             n/a
   50  6764 ACCEPT     icmp ------ 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       8 ->   *
   15  1260 ACCEPT     icmp ------ 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       0 ->   *
    0     0 REJECT     udp  ----l- 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       * ->   33434
  258 24458 REJECT     icmp ----l- 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       3 ->   *
    0     0 REJECT     icmp ----l- 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       3 ->   1
    0     0 REJECT     icmp ----l- 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       13 ->   *
    0     0 REJECT     icmp ----l- 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       14 ->   *
    0     0 REJECT     icmp ----l- 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       17 ->   *
    0     0 REJECT     icmp ----l- 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       18 ->   *
    0     0 REJECT     icmp ----l- 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       5 ->   *
    0     0 ACCEPT     icmp ----l- 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       4 ->   *
  18M 2647M ACCEPT     all  ------ 0xFF 0x00  *                              192.168.1.0/24       0.0.0.0/0             n/a
    0     0 DENY       all  ------ 0xFF 0x00  eth1                           127.0.0.0/8          200.121.10.0/24       n/a
    0     0 DENY       all  ------ 0xFF 0x00  eth1                           128.66.0.0/16        200.121.10.0/24       n/a
    3   234 DENY       all  ------ 0xFF 0x00  eth1                           172.16.0.0/12        200.121.10.0/24       n/a
    0     0 DENY       all  ------ 0xFF 0x00  eth1                           192.168.0.0/16       200.121.10.0/24       n/a
    0     0 DENY       all  ------ 0xFF 0x00  eth1                           197.0.0.0/16         200.121.10.0/24       n/a
    0     0 DENY       all  ------ 0xFF 0x00  eth1                           201.0.0.0/8          200.121.10.0/24       n/a
    0     0 DENY       tcp  ----l- 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       * ->   31337
    0     0 DENY       udp  ----l- 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       * ->   31337
    0     0 DENY       tcp  ----l- 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       * ->   12345:12346
    0     0 DENY       udp  ----l- 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       * ->   12345:12346
    0     0 DENY       tcp  ----l- 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       * ->   1524
    0     0 DENY       tcp  ----l- 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       * ->   27665
    0     0 DENY       udp  ----l- 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       * ->   27444
    0     0 DENY       udp  ----l- 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       * ->   31335
    0     0 DENY       all  ----l- 0xFF 0x00  *                              224.0.0.0/8          0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  *                              0.0.0.0/0            224.0.0.0/8           n/a
    0     0 DENY       tcp  ----l- 0xFF 0x00  eth1                           0.0.0.0/0            0.0.0.0/0             * ->   2049
    1   138 DENY       udp  ----l- 0xFF 0x00  eth1                           0.0.0.0/0            0.0.0.0/0             * ->   2049
    0     0 REJECT     tcp  ----l- 0xFF 0x00  eth1                           0.0.0.0/0            0.0.0.0/0             * ->   137:139
  310 31333 REJECT     udp  ----l- 0xFF 0x00  eth1                           0.0.0.0/0            0.0.0.0/0             * ->   137:139
    0     0 REJECT     tcp  ----l- 0xFF 0x00  eth1                           0.0.0.0/0            0.0.0.0/0             * ->   445
    0     0 REJECT     udp  ----l- 0xFF 0x00  eth1                           0.0.0.0/0            0.0.0.0/0             * ->   445
 738K  506M ACCEPT     tcp  !y---- 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       * ->   1023:65535
92402   13M ACCEPT     udp  ------ 0xFF 0x00  *                              0.0.0.0/0            200.121.10.0/24       * ->   1023:65535
 5435  320K DENY       all  ----l- 0xFF 0x00  *                              0.0.0.0/0            0.0.0.0/0             n/a
Chain forward (policy DENY: 8 packets, 424 bytes):
 pkts bytes target     prot opt    tosa tosx  ifname     mark       outsize  source                destination           ports
    0     0 ACCEPT     all  ------ 0xFF 0x00  *                              192.168.1.0/24       192.168.1.0/24        n/a
1136K  130M MASQ       all  ------ 0xFF 0x00  *                              192.168.1.0/24       0.0.0.0/0             n/a
Chain output (policy ACCEPT: 20 packets, 1400 bytes):
 pkts bytes target     prot opt    tosa tosx  ifname     mark       outsize  source                destination           ports
  12M  528M ACCEPT     all  ------ 0xFF 0x00  lo                             0.0.0.0/0            0.0.0.0/0             n/a
  16M  702M ACCEPT     all  ------ 0xFF 0x00  *                              192.168.1.0/24       0.0.0.0/0             n/a
    0     0 ACCEPT     icmp ------ 0xFF 0x00  *                              192.168.1.0/24       0.0.0.0/0             * ->   *
 1063  268K ACCEPT     icmp ------ 0xFF 0x00  *                              200.121.10.0/24      0.0.0.0/0             * ->   *
1969K  649M ACCEPT     all  ------ 0xFF 0x00  *                              0.0.0.0/0            0.0.0.0/0             n/a
CERTIFIED EXPERT

Commented:
ipchains -I input 4  -p tcp -i eth0 -s u.v.w.x 6000:6010 -j ACCEPT
ipchains -I output 1 -p tcp -i eth0 -d u.v.w.x 6000:6010 -j ACCEPT

# where u.v.w.x is you network address for LAN
# and assuming that the rules are in order of you last posting

Author

Commented:
No, it already accepts X on eth0,
The problem is that it also accepts x connections on eth1 (web-side) which I do not want. If I run nmap against eth1, I get X as OPEN, I want it to disappear on eth1, but allowed on eth0.
CERTIFIED EXPERT

Commented:
ok then add also

pchains -I input 4  -p tcp -i eth1 -s 0.0.0.0 6000:6010 -j DENY
ipchains -I output 1 -p tcp -i eth1 -d 0.0.0.0 6000:6010 -j DENY

Author

Commented:
I will try this again for good luck,  but previously it refused to work.

Is there a specific place they should be inserted?
CERTIFIED EXPERT

Commented:
keep in mind that you use last 4 ipchain commands !

> Is there a specific place they should be inserted?
yes and no, depends.
If you use it as i posted *and* you table is looking like you (last) posting here, it should be ok. Otherwise you need to make shure that no other rule match before.

You may check the current rule number with:

   ipchains -nL --line-number

Author

Commented:
I tried everything you suggested,
nmap still reports X11 as open - crazy!!!


Starting nmap V. 2.54BETA2 ( www.insecure.org/nmap/ )
 Interesting ports on localhost (127.0.0.1):
(The 1529 ports scanned but not shown below are in state: closed)
Port       State       Service
6000/tcp   open        X11                    

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=3309706 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.16

Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
CERTIFIED EXPERT
Commented:
that'S ok, 'cause you're scanning your own machine ;-)
The firewall (ipchaqins) is a packetfilter which is configured for eth0 and eth1 but not for lo  (in your case).
If you want to use nmap to check your firewall, you need to run it from a host **in front** of the firewall.

Author

Commented:
So, if I understand you right I have been looped into lo all the time where I would be shown X11 or any other port open if EITHER of eth1 or eth0 open? Yeah I guess you are right.

Just tried it through my dialup and you are right
nmap  -sS -p 6000-6010 -O -f 20X.9X.2XY.ZV
reported

Starting nmap V. 2.54BETA2 ( www.insecure.org/nmap/ )
 Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds

So my firewall has been completely stealthed all the time and I did nothing wrong with ipchains.......(x-fingers).
DSL reports me as a 0 and GRC can get daylight out of my firewall, but this port 6000 which always remained open baffled me. Ok so it is my misinterpretation, I would have thought that if you portscan your external interface that linux would be clever enough not to route to lo. What you are telling me now is that EVERYTHING nmap does goes through lo!!?
Anyway you solved the problem and I expected too much from nmap...they could inform users of the fact that they do not distinguish between lo,eth1 and eth0. Right it is also stupid not to test outside your firewall.
Thanks, and if you want to solve my apache problem.....
look at http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=linuxprog&qid=20192574 for about 100 points.
Usually with linux (actually always) the trouble is my own doing, but appache authentication has been screwing me arround for a long time.. I will give you the points for this job (200)  when you respond and checked my nmap setting stated and agree on the outcome of the dialup nmap test. Anyway yoyu get the points regardless but I just want you to check as security ......is serious (ask my previous employer who attempted to hack into my system...therefore the X-paranoia)

Regards
CERTIFIED EXPERT

Commented:
> I would have thought that if you portscan your external interface that linux would be clever enough not to route to lo.

Don't intermix linux with nmap.
In your sitution *and* the view you use, nmap is the culprit, not linux. Or lets say it: user error.
Just read man nmap and look at the -e and -S option and the host argument ;-)

> What you are telling me now is that EVERYTHING nmap does goes through lo!!?

No. If you do not specify the interface it detects it automatically, and AFAIK if you do not specify the host it uses localhost. I'm not shure about that, needs to be tested ..

Author

Commented:
You can use any of the 3 interface IPs.... the results remain the same...
I do not think nmap developers would be that stupid if the kernel did not make it very difficult. I found several difficulties with other different software. They cannot all be wrong.  
Try switching eth0--eth1 in ipchains
then swap ip's for kernel for these two interfaces
and switch the network cables around... should just continue to work right???

No suddenly your firewall dont work...masquerading breaks and others... why... ?  there must be a preference in the kernel relating ONLY to eth0 or a preference towards eth0 for some processes. That can only be kernel as ipchains has no preference for eth0 or its IP or eth1 or it's IP.
CERTIFIED EXPERT

Commented:
> You can use any of the 3 interface IPs..

Well agreed. Think that the -e option just tells nmap to go "out" that interface, the kernel then relizes that it can shorten, and therefore circumvents the packetfilter ...

So, nmap on external host.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.