Firewall problems using ipchains

Firewall problems using ipchains

Post by Bill Davids » Tue, 03 Nov 1998 04:00:00



I have been trying to convert a firewall from ipfwadm to ipchains, and
am having no luck at all in getting the proper behaviour. I am
suspicious that there is a bug, because I don't see any problem in the
simple setup.

The config is a firewall connected through a dialup via ppp to a three
bit subnet if fixed addresses and some 192.168.x.x hosts to be supported
via masquerade. I have totally removed the prive net and physically
removed the NIC to avoid complexity.

I want all packets arriving at the firewall for the visible subnet to be
forwarded, except the packets for a telnet port. Therefore I set
forwarding policy to DENY, then explicitly denied packets to any of the
subnet addresses.

       <<PPP>>                   <<10base2>>
(ISP)================(firewall)================(subnet)
199.4.52.6   199.4.52.7      199.4.52.206       199.4.52.200..207

At this point I can happily telnet into 199.4.52.206 from the outside,
packets for another IP on the firewall now seem to totally bypass the
chains... So I tried another hack, I deny all packets to the subnet,
telnet port, on interface ppp0 (you can check the wide detailed list for
that). I guess input drop doesn't work either, I can still telnet to the
206 NIC of the firewall.

More info after to listings...

================ Fig 1, ipchains listing
Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
DENY       tcp  ------  0.0.0.0/0             199.4.52.200/30      * ->   23
Chain forward (policy DENY):
DENY       tcp  ------  0.0.0.0/0             199.4.52.200/30      * ->   23
ACCEPT     all  ------  0.0.0.0/0             199.4.52.200/30      n/a
ACCEPT     all  ------  199.4.52.200/30      0.0.0.0/0             n/a
Chain output (policy ACCEPT):

================ Fig 2, ipchains with detail
Chain input (policy ACCEPT: 33923 packets, 8797916 bytes):
 pkts bytes target     prot opt    tosa tosx  ifname     mark       outsize  source                destination           ports
    0     0 DENY       tcp  ------ 0xFF 0x00  ppp0                           0.0.0.0/0             199.4.52.200/30      * ->   23
Chain forward (policy DENY: 0 packets, 0 bytes):
    0     0 DENY       tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             199.4.52.200/30      * ->   23
    0     0 ACCEPT     all  ------ 0xFF 0x00  *                              0.0.0.0/0             199.4.52.200/30      n/a
    0     0 ACCEPT     all  ------ 0xFF 0x00  *                              199.4.52.200/30      0.0.0.0/0             n/a
Chain output (policy ACCEPT: 34589 packets, 5281335 bytes):

I note that the forward chain doesn't have any counts, which increases
my suspicion that the kernel is leaking packets between interfaces
without going through the chains.

This kernel 2.1.106p4, I tried 2.1.125 without any additional luck, and
this kernel has been too stable to upgrade unless a new one works
better.

Is this ipchains stuff just too new to work right, or are the chains
"last match" instead of first, or ???

I can't readily use an out of subnet IP for the NIC, some systems are
not very net smart, and in production I will have a 199.4.52.xx NIC and
192.168.x.x NIC, and will only deny packets from the ppp0 interface.

For now ipfwadm on 2.1.101 solves my problem.
--

  CTO, TMR Associates, Inc
Doing interesting things with little computers since 1979.
--
--

  CTO, TMR Associates, Inc
Doing interesting things with little computers since 1979.

 
 
 

1. IPChains firewall behind firewall problem

Question for you all:

I'm currently working on building a RH7.1 router and firewall for a local
company.  I'm currently testing it on my home network, which is composed
of several boxes behind another Linux router/firewall.  

Here's the problem I'm running into on the new firewall.  I'm mostly
concerned with incoming connections, not outgoing.  So, I have defaults of
ACCEPT for output and forward, but REJECT for input.  I have rules as
such:
_____
-A input -s 192.168.1.1/255.255.0.0 -i eth0 -j ACCEPT
-A input -s 192.168.1.1/255.255.0.0 -i eth1 -j ACCEPT
-A input -s my.home.ip.address -j ACCEPT
-A input -s my.work.subnet/255.255.255.0 ssh -p tcp -j ACCEPT
-A input -s my.work.subnet/255.255.255.0 ssh -p udp -j ACCEPT
_____

Now, if I connect to a website on my internal network, with lynx,
everything looks fine.  If I try to connect to an external website, say
cnn.com, it fails on this machine only.  It passes on the other machines.  
If, however, I change the defualt policy on input to ACCEPT, everything is
just peachy.

My stab-in-the-dark guess is that something in the traffic getting
firewalled twice(once at new firewall, once at usual) is causing the
problems.  Trouble is, I don't know WHAT, quite frankly.  I have a line in
there that allows any input connection from any local machine(which would
include the firewall). Because of this, I don't see why suddenly allowing
ACCEPT on input would work.  

Output of ipchains -L is below, with offending IP addresses subbed.  Any
help is appreciated.

________
Chain input (policy REJECT):
target     prot opt     source                destination           ports
ACCEPT     udp  ------  192.168.1.1          anywhere              domain
->   any
ACCEPT     all  ------  192.168.0.0/16       anywhere              n/a
ACCEPT     all  ------  192.168.0.0/16       anywhere              n/a
ACCEPT     all  ------  my.home.ip.addy      anywhere
n/a
ACCEPT     tcp  ------  my.work.subnet/24       anywhere              ssh ->
any
ACCEPT     udp  ------  my.work.subnet/24       anywhere              ssh ->
any
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
________

Thanks!

--

"Some men take it personally and are totally offended that you won't
accept THEIR precious and speshul DNA, because THEIR'S is DIFFERENT.  
'Look what Og do!  Og make more Ogs!'" - 6kats on asc

2. doc's on yacc & lex????

3. Using Linux with IPChains to split a class C subnet and firewall one half

4. FS:Ultra 140s Major Price Reductions!!

5. Firewall using ipchains + 3 NICs

6. Memory Filling Up Till Crash

7. Using Checkpoint's SecureRemote through IPCHAINS firewall (VPN)

8. Help...exceedingly weird problem

9. firewall configuration using ipchains

10. Using Linux/IPChains instead of commercial firewall

11. IPCHAINS logging question using Trinity OS firewall

12. Help needed MASQing a web server using ipchains-firewall

13. FireWall using IPCHAINS: Where to start?