LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Closed Thread
 
Search this Thread
Old 12-26-2008, 06:22 AM   #1
active
LQ Newbie
 
Registered: Dec 2008
Posts: 9

Rep: Reputation: 0
Question ipchains


Hi,
Directly coming to the case with ipchains please guide me with this scenario.

My set follows as given below

Eth1 = External ip (ex:88.88.88.88) Internet interface
Eth0 = Internal Ip (192.168.5.1) Lan interface
The internal subnet is 192.168.5.0/24

I want to block outgoing as well as selectively allowing SMTP traffic on port 25
The reason I want to block is our static ip evey time (once in two days) get black listed and request for delisting.

I have ipchains on 2.2 kernel on redhat linux 7

Following is the present firewall rules script which starts with bootup.

#!/bin/sh

# Flush Rules
ipchains -F forward
ipchains -F output
ipchains -F input

# Set default to deny all
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward DENY

#ICMP REDIRECT PROTECTION
#possible alteration of routing tables if left open
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
/bin/echo "0" > ${interface}
done

#IP_SPOOFING PROTECTION
#assymettirc routed packets will fail
#who cares anyways
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done

# Enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# FTP masq
#/sbin/modprobe ip_masq_ftp


# Add Rules
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT

# prevent spoofed packets from outside
ipchains -A input -s 192.168.5.0/24 -i eth1 -j DENY -l
ipchains -A input -s 127.0.0.0/8 -i ! lo -j DENY -l

# DENY DNS from outside
ipchains -A input -j DENY -l -s 0/0 -d 88.88.88.88 53:53 -p udp -i eth1

# first add list of blocked addresses from file
for bad_addr in `cat /root/firewall/blacklist | awk '{ print $2 }'`; do
ipchains -A input -j DENY -l -s $bad_addr -d 88.88.88.88/32 -p all -i eth1
ipchains -A input -j DENY -l -s 192.168.5.0/24 -d $bad_addr -p all -i eth0
done

# Ping
# we need to ping outside
ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 -p icmp --icmp-type echo-reply -i eth1
ipchains -A output -j ACCEPT -d 0/0 -p icmp --icmp-type echo-request -i eth1

# but outside cannot ping us )
ipchains -A input -j DENY -s 0/0 -d 88.88.88.88/32 -p icmp --icmp-type echo-request -i eth1
ipchains -A output -j DENY -d 0/0 -p icmp --icmp-type echo-reply -i eth1

# allow ping from internal network
ipchains -A output -j ACCEPT -s 0/0 -d 192.168.5.0/24 -p icmp -i eth0
ipchains -A input -j ACCEPT -s 192.168.5.0/24 -d 0/0 -p icmp -i eth0

# VOIP
# Allow udp to ciscoata UDP ports 69, 5060,5061,5062 10000-10800
# dont know the server from which traffic originates.
# That stupid idiot at the VOIP provider doesn't know himself. @&&#o1e
ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 -p udp -i eth0

#ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 69:69 -p udp -i eth0
#ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 5060:5062 -p udp -i eth0
#ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 10000:11500 -p udp -i eth0
ipchains -A output -j ACCEPT -p udp -i eth0

ipchains -A input -j ACCEPT -s 0/0 -p udp -i eth1
#ipchains -A input -j ACCEPT -s 0/0 69:69 -p udp -i eth1
#ipchains -A input -j ACCEPT -s 0/0 5060:5062 -p udp -i eth1
#ipchains -A input -j ACCEPT -s 0/0 10000:11500 -p udp -i eth1
ipchains -A output -j ACCEPT -p udp -i eth1

# Accept all but port 21 to 23 to and from internal net
# matrix genesis and neo allows all
# Im the goddamn sysadmin.
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.3 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.50 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.51 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.150 -d 0/0 21:23 -i eth0
#ipchains -A input -j ACCEPT -p tcp -s 192.168.5.10 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.15 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.9 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.25 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -s 192.168.5.0/24 -d 0/0 -i eth0
ipchains -A output -j ACCEPT -s 0/0 -d 192.168.5.0/24 -i eth0


# allow traffic originating internally
ipchains -A output -j ACCEPT -s 88.88.88.88/32 -d 0/0 -p tcp -i eth1
ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 -p tcp ! -y -i eth1

# DNS
ipchains -A output -j ACCEPT -s 88.88.88.88/32 -d 0/0 53:53 -p udp -i eth1
ipchains -A input -j ACCEPT -s 0/0 53:53 -d 88.88.88.88/32 -p udp -i eth1

# Forward /Masq internal network
for host_addr in `cat /root/firewall/hostlist`; do
ipchains -A forward -j MASQ -s $host_addr -d 0.0.0.0/0
done

ipchains -A forward -s 192.168.5.0/24 -d 0.0.0.0/0 -j MASQ

ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 80:80 -p tcp -i eth1
ipchains -A output -j ACCEPT -s 88.88.88.88/32 80:80 -d 0/0 -p tcp ! -y -i eth1

ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 110:110 -p tcp -i eth1
ipchains -A output -j ACCEPT -s 88.88.88.88/32 110:110 -d 0/0 -p tcp ! -y -i eth1

ipchains -A input -j DENY -s 0/0 -d 88.88.88.88/32 25:25 -p tcp -i eth1
ipchains -A output -j DENY -s 88.88.88.88/32 25:25 -d 0/0 -p tcp ! -y -i eth1

As you can see in extreme below the rules I have denyed port 25 for smtp,
But still I can send mail using

mail s subject user@example.com
from a linux system and it successfully sends out mail

Why my ipchains rules is not working as expected for smtp port 25
Please help me out of this mess.
Thanking you people in advance
Mark
 
Old 12-26-2008, 06:27 AM   #2
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Reported as double post of http://www.linuxquestions.org/questi...56#post3387556
 
  


Closed Thread

Tags
ipchains


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Ipchains brokenflea Linux - Networking 1 02-03-2004 05:44 AM
ipchains juanb Linux - Newbie 1 12-28-2003 03:22 PM
ipchains gigya Linux - Networking 2 09-21-2002 07:18 AM
Ipchains mikeyt_3333 Linux - Security 3 10-02-2001 06:07 PM
IpChains again ETT Linux - Security 3 07-24-2001 07:49 AM


All times are GMT -5. The time now is 11:13 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration