Problem with ipchains

J_Szucs · 11-24-2001, 03:37 PM

A port scanner at grc.com showed me that my SMTP, HTTP server and identification ports are open to the internet!!!
I wonder why, as presently I use my Linux computer only for Internet browsing. I do not use any mail programs, and I installed no http server or such.
I only installed a local DNS caching system (named).
I decided to use ipchains to protect myself. I studyed the ipchains how-to and found that the first sample configuration could be easily tailored to my needs.
When I tried it, however, it made the internet unavailable for me.
I found that the problem may be related to the $LOCALIP keyword used in the samples to identify my dynamic IP address. It seems that my SuSE system does not recognize it, as it complains of unidentifiable service. When I use the actual IP address, its OK. But I cannot tell what will be my IP address the next time I connect to my ISP.
Can you help me to overcome the above problem, or give me a working ipchains configuration for the following system and needs:
SuSE Linux 6.4 Eval, KDE, Netscape, modem connection to ISP with dynamic IP address, IP address cashing, no mail, no ftp, no anything just browsing.

jharris · 11-24-2001, 06:16 PM

You don't need to use your IP address - you can simply specify an interface. For example to close all the priviledged ports to tcp traffic on any PPP (dialup) interface you could use

Code:

ipchains  -A input -i ppp+ -s 0.0.0.0/0 --destination-port 0:1024  -p tcp -j DENY

This would drop any packets that arrive at your machine destined for any port between 0 and 1024, and you don't need to know your IP address

HTH

Jamie...

J_Szucs · 11-24-2001, 06:38 PM

Actually, I want to close all ports, except for those needed for browsing and dns lookup.
Which are those?

taz.devil · 11-24-2001, 06:54 PM

If i remember correctly the port used for internet traffic is 80.

jharris · 11-24-2001, 06:56 PM

As you can't guarantee what port your incomming connections will be comming in on (you send your request to port 80 for http, yet packets will come back to your machine destine for some high numbered port - hence you don't want to go blocking these!!), you really only want to close the port you know things i will be running on. Have a look at the output at the top of

Code:

netstat -a | more

to see what ports things are listening on...

HTH

Jamie...

J_Szucs · 11-24-2001, 07:45 PM

I found the following things listening:

tcp bp2119.dial.kiww:domain
tcp localhost:domain
tcp *:6000
tcp *:auth
tcp *:smtp
tcp *:www-http

furthemore:

raw *:icmp
raw *:tcp

are in state 7

Still I do not know how to interpret these data...

J_Szucs · 11-25-2001, 03:29 PM

I would still prefer to use the sample firewall commands described in the how-to.
I suppose that they might easily be made to work (if I get a little help).

So, could you please tell me why this command:
#ipchains -A input -p UDP -s 194.88.32.226 -d $LOCALIP dns -j ACCEPT
results in the following error message:
ipchains: host/network 'dns' not found

When I use the actual (dynamic) IP address got from my ISP instead of $LOCALIP, as follows:
#ipchains -A input -p UDP -s 194.88.32.226 -d 195.56.211.116 dns -j ACCEPT
it also results in an error message, but a different one:
ipchains: invalid port/service 'dns' specified

How could these commands be made to work?

acid_kewpie · 11-25-2001, 04:33 PM

well.. what's dns meant to be???

i'd guess that it's predefined in the howto you're using, presumably a local dns server, simply called dns. if you've not made it it won't work...

J_Szucs · 11-26-2001, 02:42 AM

An excerpt from the ipchains how-to I use:

'I allow UDP packets in for DNS (I run a caching nameserver which forwards all requests to 203.29.16.1, so I expect DNS replies from them only), incoming ftp, and return ftp-data only (which should only be going to a port above 1023, and not the X11 ports around 6000).

# ipchains -A ppp-in -p UDP -s 203.29.16.1 -d $LOCALIP dns -j ACCEPT
# ipchains -A ppp-in -p TCP -s 0.0.0.0/0 ftp-data -d $LOCALIP 1024:5999 -j ACCEPT
# ipchains -A ppp-in -p TCP -s 0.0.0.0/0 ftp-data -d $LOCALIP 6010: -j ACCEPT
# ipchains -A ppp-in -p TCP -d $LOCALIP ftp -j ACCEPT'

As a newbie, how could I know what that 'dns' means in this example? I thought it is something like an 'environment variable' of the system that is automatically created and updated when I set up a local, caching name server.

Based on my experiences with Linux and M$ programs, I find that usually they both have extensive documentation, only they should be used in a different way:
- in M$ programs: try the examples, understand how they work and tailor them to your needs
- in Linux: try the examples, understand why they do not work, then tailor them to your needs.

J_Szucs · 11-26-2001, 05:00 AM

An addition: there is no pre-defined server with the name 'dns' mentioned in the ipchains how-to.

J_Szucs · 11-26-2001, 03:20 PM

I am browsing my system files now, and in rc.config I was faced with the fact that I actually run a server on my machine. Not quite unintentionally, as I intended to run a server on Localhost, for later testing purposes of mysql + php. But my original intention was that it should be operable only for Localhost, and not for the whole Internet whilst keeping three ports totally open to the Internet when I am browsing.
Actually, in rc.config I switched off the httpd service (and also found out how to start named at start-up), but I still have port 113 being always open.
Can you tell me how to close port 113 (which service shall be disabled and where) and also the drawback of doing so?
Still want to install a firewall by ipchains (I would prefer stealthing my ports instead of closing them), if once I find out what that 'dns' means in the sample configuration.

zhenwu · 11-26-2001, 03:33 PM

Hi there,

$LOCALIP is a variable that is stated at the start of your script. You should see 'something' like

LOCALIP = "bleh"

Right close to the beginning of the script.

You could try just replacing any instance of '$LOCALIP' with 'ppp+'

and see how it goes.

Or, I guess you could replace the 'bleh' at the top with 'ppp+' then you'd not have to go through your script to replace every instance of $LOCALIP.....

zhenwu · 11-26-2001, 03:41 PM

You might check out PMFirewall . I found it to be quite a good set up configurator that created a pretty darn good firewall script.

J_Szucs · 11-27-2001, 08:41 PM

I tried PMFirewall but it made the Internet unavailable, although I installed it to my best knowledge (which is, however, very limited).
I run it at start-up time, but it made strange strings:
It gave the Forward chain a policy of Deny, and no other rules (this may have caused the Internet access failure).
It gave the Output chain a policy of Accept, and filled it with Accept rules only (this is an other thing I could not understand).
Finally I dropped PMFirewall.
So, my questions are still relevant (and simple):
- Could someone give me a sample configuration of ipchains that allows browsing the internet, local nameserver, dynamic IP address from ISP, but otherwise protect the machine from possible attacts?
- Can anyone tell me what that 'dns' means in the sample configuration in the ipchains howto (which possibly not understood by my system)?
Thank you in advance.

craig_phoebe · 11-28-2001, 01:57 AM

If you put the following 2 lines in your script file, the script
will read ifconfig and determine the IP address for you
each time.

Make sure the firewall script runs as part of IP-UP so that
the ppp0 interface is up at the time.

EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
echo "external ip is $EXTIP"

ps :- this is in one of the LDP howtos, read them and prosper..