IPCHAINS is acting weird
I'm having a problem with ipchains. I wrote a simple script to apply my required rules in testing and allow me to build on it. I set up rules to allow incoming ftp, ssh, epl (my own server for testing), www (http), time, finger, and telnet. eth1 is the internet. eth0 is my internel network. What I would like to do is allow all packets from eth0, and allow only ftp, ssh, www, epl, time, telnet, and finger from the internet (eth1). Here is my rules script:
# !/bin/sh ipchains -F ipchains -P input DENY ipchains -A input -p tcp -i ! eth1 -j ACCEPT ipchains -A input -p tcp -d 0/0 ftp -j ACCEPT ipchains -A input -p tcp -d 0/0 20 -j ACCEPT ipchains -A input -p tcp -d 0/0 ssh -j ACCEPT ipchains -A input -p tcp -d 0/0 www -j ACCEPT ipchains -A input -p tcp -d 0/0 epl -j ACCEPT ipchains -A input -p tcp -d 0/0 time -j ACCEPT ipchains -A input -p tcp -d 0/0 telnet -j ACCEPT ipchains -A input -p tcp -d 0/0 finger -j ACCEPT ipchains -A input -f -j ACCEPT Sometimes, all interfaces are totally open, other times they are totally closed. ipchains was installed with redhat 7.2 when i got it. Thanks, Eric S. |
iim gunna write it from scratch kk
if your doing this remotely... ipchains -F ipchains -P INPUT -j ACCEPT ipchains -P FORWARD -j ACCEPT ipchains -P OUTPUT -j ACCEPT ipchains -A INPUT -m state --state INVALID -j DROP ipchains -A FORWARD -m state --state INVALID -j DROP ipchains -A OUTPUT -m state --state INVALID -j DROP ipchains -A INPUT -i eth1 -p tcp --multiport --dport 20,21,22,80,epl,time,telnet,finger -j ACCEPT ipchains -A INPUT -i eth0 -j ACCEPT ipchains -A INPUT -j DROP ipchains -A FORWARD -i eth0 -o eth1 -j ACCEPT ipchains -A FORWARD -i eth1 -o eth0 -j ACCEPT ipchains -A FORWARD -j DROP ipchains -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
That doesn't work either. Here is the output:
ipchains: -P requires a chain and a policy Try `ipchains -h' or 'ipchains --help' for more information. ipchains: Bad value `state' for -m. Try `ipchains -h' or 'ipchains --help' for more information. ipchains: Bad value `state' for -m. Try `ipchains -h' or 'ipchains --help' for more information. ipchains: Bad value `state' for -m. Try `ipchains -h' or 'ipchains --help' for more information. ipchains: unrecognized option `--multiport' Try `ipchains -h' or 'ipchains --help' for more information. ipchains: No target by that name ipchains: No target by that name ipchains: -o argument must be 0-65535, not `eth1' Try `ipchains -h' or 'ipchains --help' for more information. ipchains: -o argument must be 0-65535, not `eth0' Try `ipchains -h' or 'ipchains --help' for more information. ipchains: No target by that name ipchains: -t requires 2 hexbyte arguments Try `ipchains -h' or 'ipchains --help' for more information. I have ipchains 1.3.10, 1-Sep-2000. |
heh chains is too old for me, i been on iptables, sorry..
um, if its no consequence format and install rh9? |
sorry1 :)The hardware's too old:) Just be glad I'm not running 6.x!
|
well how old is your damn kernel? lol
update the kernel, get some iptables working |
I guess it's time to read the 'ol TLDP Ipchains HOWTO.
|
I got 2.4.7-10. And I did read the howto. The commands just didn't work right.
|
If yo have 2.4 just recompile and get iptables working - a lot more to work with, IMO
|
I got iptables working. However, it has the same problem. It cannot access the internet with DROP in place, except if I say to accept all RELATED and ESTABLISHED connections. Then it won't stealth any ports.
|
Even if I tell it specifically to drop the port, it still accepts connections.
|
iptables -P INPUT -j ACCEPT
iptables -P FORWARD -j ACCEPT iptables -P OUTPUT -j ACCEPT iptables -A INPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A INPUT -i eth1 -p tcp --multiport --dport 20,21,22,80,epl,time,telnet,finger -j ACCEPT iptables -A INPUT -i eth0 -j ACCEPT iptables -A INPUT -j DROP iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT iptables -A FORWARD -j DROP iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -P INPUT DROP iptables -P FORWARD DROP where eth0 is your internet nic, and eth1 is your lan interface... |
All times are GMT -5. The time now is 02:06 AM. |