Firewall problems using ipchains

Firewall problems using ipchains

Post by Bill Davids » Tue, 03 Nov 1998 04:00:00

I have been trying to convert a firewall from ipfwadm to ipchains, and
am having no luck at all in getting the proper behaviour. I am
suspicious that there is a bug, because I don't see any problem in the
simple setup.

The config is a firewall connected through a dialup via ppp to a three
bit subnet if fixed addresses and some 192.168.x.x hosts to be supported
via masquerade. I have totally removed the prive net and physically
removed the NIC to avoid complexity.

I want all packets arriving at the firewall for the visible subnet to be
forwarded, except the packets for a telnet port. Therefore I set
forwarding policy to DENY, then explicitly denied packets to any of the
subnet addresses.

       <<PPP>>                   <<10base2>>

At this point I can happily telnet into from the outside,
packets for another IP on the firewall now seem to totally bypass the
chains... So I tried another hack, I deny all packets to the subnet,
telnet port, on interface ppp0 (you can check the wide detailed list for
that). I guess input drop doesn't work either, I can still telnet to the
206 NIC of the firewall.

More info after to listings...

================ Fig 1, ipchains listing
Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
DENY       tcp  ------         * ->   23
Chain forward (policy DENY):
DENY       tcp  ------         * ->   23
ACCEPT     all  ------         n/a
ACCEPT     all  ------             n/a
Chain output (policy ACCEPT):

================ Fig 2, ipchains with detail
Chain input (policy ACCEPT: 33923 packets, 8797916 bytes):
 pkts bytes target     prot opt    tosa tosx  ifname     mark       outsize  source                destination           ports
    0     0 DENY       tcp  ------ 0xFF 0x00  ppp0                          * ->   23
Chain forward (policy DENY: 0 packets, 0 bytes):
    0     0 DENY       tcp  ------ 0xFF 0x00  *                             * ->   23
    0     0 ACCEPT     all  ------ 0xFF 0x00  *                             n/a
    0     0 ACCEPT     all  ------ 0xFF 0x00  *                                 n/a
Chain output (policy ACCEPT: 34589 packets, 5281335 bytes):

I note that the forward chain doesn't have any counts, which increases
my suspicion that the kernel is leaking packets between interfaces
without going through the chains.

This kernel 2.1.106p4, I tried 2.1.125 without any additional luck, and
this kernel has been too stable to upgrade unless a new one works

Is this ipchains stuff just too new to work right, or are the chains
"last match" instead of first, or ???

I can't readily use an out of subnet IP for the NIC, some systems are
not very net smart, and in production I will have a 199.4.52.xx NIC and
192.168.x.x NIC, and will only deny packets from the ppp0 interface.

For now ipfwadm on 2.1.101 solves my problem.

  CTO, TMR Associates, Inc
Doing interesting things with little computers since 1979.

  CTO, TMR Associates, Inc
Doing interesting things with little computers since 1979.


1. IPChains firewall behind firewall problem

Question for you all:

I'm currently working on building a RH7.1 router and firewall for a local
company.  I'm currently testing it on my home network, which is composed
of several boxes behind another Linux router/firewall.  

Here's the problem I'm running into on the new firewall.  I'm mostly
concerned with incoming connections, not outgoing.  So, I have defaults of
ACCEPT for output and forward, but REJECT for input.  I have rules as
-A input -s -i eth0 -j ACCEPT
-A input -s -i eth1 -j ACCEPT
-A input -s my.home.ip.address -j ACCEPT
-A input -s ssh -p tcp -j ACCEPT
-A input -s ssh -p udp -j ACCEPT

Now, if I connect to a website on my internal network, with lynx,
everything looks fine.  If I try to connect to an external website, say, it fails on this machine only.  It passes on the other machines.  
If, however, I change the defualt policy on input to ACCEPT, everything is
just peachy.

My stab-in-the-dark guess is that something in the traffic getting
firewalled twice(once at new firewall, once at usual) is causing the
problems.  Trouble is, I don't know WHAT, quite frankly.  I have a line in
there that allows any input connection from any local machine(which would
include the firewall). Because of this, I don't see why suddenly allowing
ACCEPT on input would work.  

Output of ipchains -L is below, with offending IP addresses subbed.  Any
help is appreciated.

Chain input (policy REJECT):
target     prot opt     source                destination           ports
ACCEPT     udp  ------          anywhere              domain
->   any
ACCEPT     all  ------       anywhere              n/a
ACCEPT     all  ------       anywhere              n/a
ACCEPT     all  ------  my.home.ip.addy      anywhere
ACCEPT     tcp  ------       anywhere              ssh ->
ACCEPT     udp  ------       anywhere              ssh ->
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):



"Some men take it personally and are totally offended that you won't
accept THEIR precious and speshul DNA, because THEIR'S is DIFFERENT.  
'Look what Og do!  Og make more Ogs!'" - 6kats on asc

2. doc's on yacc & lex????

3. Using Linux with IPChains to split a class C subnet and firewall one half

4. FS:Ultra 140s Major Price Reductions!!

5. Firewall using ipchains + 3 NICs

6. Memory Filling Up Till Crash

7. Using Checkpoint's SecureRemote through IPCHAINS firewall (VPN)

8. Help...exceedingly weird problem

9. firewall configuration using ipchains

10. Using Linux/IPChains instead of commercial firewall

11. IPCHAINS logging question using Trinity OS firewall

12. Help needed MASQing a web server using ipchains-firewall

13. FireWall using IPCHAINS: Where to start?