LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-24-2001, 04:37 PM   #1
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Rep: Reputation: 58
Problem with ipchains


A port scanner at grc.com showed me that my SMTP, HTTP server and identification ports are open to the internet!!!
I wonder why, as presently I use my Linux computer only for Internet browsing. I do not use any mail programs, and I installed no http server or such.
I only installed a local DNS caching system (named).
I decided to use ipchains to protect myself. I studyed the ipchains how-to and found that the first sample configuration could be easily tailored to my needs.
When I tried it, however, it made the internet unavailable for me.
I found that the problem may be related to the $LOCALIP keyword used in the samples to identify my dynamic IP address. It seems that my SuSE system does not recognize it, as it complains of unidentifiable service. When I use the actual IP address, its OK. But I cannot tell what will be my IP address the next time I connect to my ISP.
Can you help me to overcome the above problem, or give me a working ipchains configuration for the following system and needs:
SuSE Linux 6.4 Eval, KDE, Netscape, modem connection to ISP with dynamic IP address, IP address cashing, no mail, no ftp, no anything just browsing.
 
Old 11-24-2001, 07:16 PM   #2
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 46
You don't need to use your IP address - you can simply specify an interface. For example to close all the priviledged ports to tcp traffic on any PPP (dialup) interface you could use
Code:
ipchains  -A input -i ppp+ -s 0.0.0.0/0 --destination-port 0:1024  -p tcp -j DENY
This would drop any packets that arrive at your machine destined for any port between 0 and 1024, and you don't need to know your IP address

HTH

Jamie...
 
Old 11-24-2001, 07:38 PM   #3
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Original Poster
Rep: Reputation: 58
ipchains

Actually, I want to close all ports, except for those needed for browsing and dns lookup.
Which are those?
 
Old 11-24-2001, 07:54 PM   #4
taz.devil
Senior Member
 
Registered: Nov 2001
Location: Wa. State
Distribution: Slackware
Posts: 1,261

Rep: Reputation: 45
If i remember correctly the port used for internet traffic is 80.
 
Old 11-24-2001, 07:56 PM   #5
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 46
As you can't guarantee what port your incomming connections will be comming in on (you send your request to port 80 for http, yet packets will come back to your machine destine for some high numbered port - hence you don't want to go blocking these!!), you really only want to close the port you know things i will be running on. Have a look at the output at the top of
Code:
netstat -a | more
to see what ports things are listening on...

HTH

Jamie...
 
Old 11-24-2001, 08:45 PM   #6
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Original Poster
Rep: Reputation: 58
ipchains

I found the following things listening:

tcp bp2119.dial.kiww:domain
tcp localhost:domain
tcp *:6000
tcp *:auth
tcp *:smtp
tcp *:www-http

furthemore:

raw *:icmp
raw *:tcp

are in state 7

Still I do not know how to interpret these data...
 
Old 11-25-2001, 04:29 PM   #7
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Original Poster
Rep: Reputation: 58
ipchains

I would still prefer to use the sample firewall commands described in the how-to.
I suppose that they might easily be made to work (if I get a little help).

So, could you please tell me why this command:
#ipchains -A input -p UDP -s 194.88.32.226 -d $LOCALIP dns -j ACCEPT
results in the following error message:
ipchains: host/network 'dns' not found

When I use the actual (dynamic) IP address got from my ISP instead of $LOCALIP, as follows:
#ipchains -A input -p UDP -s 194.88.32.226 -d 195.56.211.116 dns -j ACCEPT
it also results in an error message, but a different one:
ipchains: invalid port/service 'dns' specified

How could these commands be made to work?
 
Old 11-25-2001, 05:33 PM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
well.. what's dns meant to be???

i'd guess that it's predefined in the howto you're using, presumably a local dns server, simply called dns. if you've not made it it won't work...
 
Old 11-26-2001, 03:42 AM   #9
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Original Poster
Rep: Reputation: 58
ipchains

An excerpt from the ipchains how-to I use:

'I allow UDP packets in for DNS (I run a caching nameserver which forwards all requests to 203.29.16.1, so I expect DNS replies from them only), incoming ftp, and return ftp-data only (which should only be going to a port above 1023, and not the X11 ports around 6000).

# ipchains -A ppp-in -p UDP -s 203.29.16.1 -d $LOCALIP dns -j ACCEPT
# ipchains -A ppp-in -p TCP -s 0.0.0.0/0 ftp-data -d $LOCALIP 1024:5999 -j ACCEPT
# ipchains -A ppp-in -p TCP -s 0.0.0.0/0 ftp-data -d $LOCALIP 6010: -j ACCEPT
# ipchains -A ppp-in -p TCP -d $LOCALIP ftp -j ACCEPT'

As a newbie, how could I know what that 'dns' means in this example? I thought it is something like an 'environment variable' of the system that is automatically created and updated when I set up a local, caching name server.

Based on my experiences with Linux and M$ programs, I find that usually they both have extensive documentation, only they should be used in a different way:
- in M$ programs: try the examples, understand how they work and tailor them to your needs
- in Linux: try the examples, understand why they do not work, then tailor them to your needs.
 
Old 11-26-2001, 06:00 AM   #10
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Original Poster
Rep: Reputation: 58
ipchains

An addition: there is no pre-defined server with the name 'dns' mentioned in the ipchains how-to.
 
Old 11-26-2001, 04:20 PM   #11
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Original Poster
Rep: Reputation: 58
ipchains

I am browsing my system files now, and in rc.config I was faced with the fact that I actually run a server on my machine. Not quite unintentionally, as I intended to run a server on Localhost, for later testing purposes of mysql + php. But my original intention was that it should be operable only for Localhost, and not for the whole Internet whilst keeping three ports totally open to the Internet when I am browsing.
Actually, in rc.config I switched off the httpd service (and also found out how to start named at start-up), but I still have port 113 being always open.
Can you tell me how to close port 113 (which service shall be disabled and where) and also the drawback of doing so?
Still want to install a firewall by ipchains (I would prefer stealthing my ports instead of closing them), if once I find out what that 'dns' means in the sample configuration.

Last edited by J_Szucs; 11-26-2001 at 04:28 PM.
 
Old 11-26-2001, 04:33 PM   #12
zhenwu
Member
 
Registered: Jul 2001
Location: Taiwan (ex-Victoria BC)
Distribution: RH 9.0
Posts: 126

Rep: Reputation: 15
Hi there,

$LOCALIP is a variable that is stated at the start of your script. You should see 'something' like

LOCALIP = "bleh"

Right close to the beginning of the script.

You could try just replacing any instance of '$LOCALIP' with 'ppp+'

and see how it goes.

Or, I guess you could replace the 'bleh' at the top with 'ppp+' then you'd not have to go through your script to replace every instance of $LOCALIP.....

Last edited by zhenwu; 11-26-2001 at 04:38 PM.
 
Old 11-26-2001, 04:41 PM   #13
zhenwu
Member
 
Registered: Jul 2001
Location: Taiwan (ex-Victoria BC)
Distribution: RH 9.0
Posts: 126

Rep: Reputation: 15
You might check out PMFirewall . I found it to be quite a good set up configurator that created a pretty darn good firewall script.
 
Old 11-27-2001, 09:41 PM   #14
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Original Poster
Rep: Reputation: 58
ipchains

I tried PMFirewall but it made the Internet unavailable, although I installed it to my best knowledge (which is, however, very limited).
I run it at start-up time, but it made strange strings:
It gave the Forward chain a policy of Deny, and no other rules (this may have caused the Internet access failure).
It gave the Output chain a policy of Accept, and filled it with Accept rules only (this is an other thing I could not understand).
Finally I dropped PMFirewall.
So, my questions are still relevant (and simple):
- Could someone give me a sample configuration of ipchains that allows browsing the internet, local nameserver, dynamic IP address from ISP, but otherwise protect the machine from possible attacts?
- Can anyone tell me what that 'dns' means in the sample configuration in the ipchains howto (which possibly not understood by my system)?
Thank you in advance.
 
Old 11-28-2001, 02:57 AM   #15
craig_phoebe
LQ Newbie
 
Registered: Nov 2001
Posts: 1

Rep: Reputation: 0
Solution to IP Address

If you put the following 2 lines in your script file, the script
will read ifconfig and determine the IP address for you
each time.

Make sure the firewall script runs as part of IP-UP so that
the ppp0 interface is up at the time.




EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
echo "external ip is $EXTIP"


ps :- this is in one of the LDP howtos, read them and prosper..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ipchains problem gz_xmg Linux - Security 4 04-08-2004 03:36 AM
Mail Relay problem IPCHAINS The Jesus Linux - Security 2 05-03-2002 06:02 AM
Weird ipchains problem progressroom Linux - Security 1 09-27-2001 05:35 AM
IPChains problem DATA_OK Linux - Security 15 09-12-2001 09:00 AM
ipchains problem. Chypmunk Linux - Networking 17 07-16-2001 06:32 AM


All times are GMT -5. The time now is 03:14 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration