Weird ipchains problem

progressroom · 09-17-2001, 01:40 PM

Hello,

I am having a problem with ipchains where I cannot go to certain websites (i.e. www.cibc.com) from my machine inside the firewall.

My configuration is a Linux machine running as a firewall with a W2K machine inside the firewall using 192.168.0.* IP address NATed thru Linux ipchains.

I can go to the website from the Linux machine, but not from the Windows machine. It gets the DNS entry, because it displays the page title, but that is all.

It seems as though the ipchains is preventing the answering website to communicate with my machine inside the firewall. I have looked at the /var/log/messages file but cannont see anything inside to help me out.

I hope someone can help,

Phil

Here is my ipchains Rule Set:

Chain input (policy REJECT):
target prot opt source destination ports
ACCEPT all ------ 192.168.0.0/24 anywhere n/a
REJECT all ----l- 192.168.0.0/24 anywhere n/a
ACCEPT all ------ anywhere HSE-Toronto-ppp165908.sympatico.ca n/a
ACCEPT all ------ anywhere anywhere n/a
REJECT all ----l- anywhere anywhere n/a
Chain forward (policy DENY):
target prot opt source destination ports
MASQ all ------ 192.168.0.0/24 anywhere n/a
REJECT all ----l- anywhere anywhere n/a
Chain output (policy REJECT):
target prot opt source destination ports
ACCEPT all ------ anywhere 192.168.0.0/24 n/a
REJECT all ----l- anywhere 192.168.0.0/24 n/a
REJECT all ----l- 192.168.0.0/24 anywhere n/a
ACCEPT all ------ HSE-Toronto-ppp165908.sympatico.ca anywhere n/a
ACCEPT all ------ anywhere anywhere n/a
REJECT all ----l- anywhere anywhere n/a

Here is my Firewall setup:
#!/bin/sh
#
# /etc/rc.d/rc.firewall: An example of a Semi-Strong IPCHAINS firewall ruleset.
#

PATH=/sbin:/bin:/usr/sbin:/usr/bin

# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules
# are shown below but are commented from loading.

# Needed to initially load modules
#
/sbin/depmod -a

# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp

# Supports the masquerading of RealAudio over UDP. Without this module,
# RealAudio WILL function but in TCP mode. This can cause a reduction
# in sound quality
#
/sbin/modprobe ip_masq_raudio

# Supports the masquerading of IRC DCC file transfers
#
/sbin/modprobe ip_masq_irc

# Supports the masquerading of Quake and QuakeWorld by default. This modules is
# for for multiple users behind the Linux MASQ server. If you are going to play
# Quake I, II, and III, use the second example.
#
# NOTE: If you get ERRORs loading the QUAKE module, you are running an old
# ----- kernel that has bugs in it. Please upgrade to the newest kernel.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960

# Supports the masquerading of the CuSeeme video conferencing software
#
/sbin/modprobe ip_masq_cuseeme

#Supports the masquerading of the VDO-live video conferencing software
#
/sbin/modprobe ip_masq_vdolive

#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward

# Specify your Static IP address here.
#
# If you have a DYNAMIC IP address, you need to make this ruleset understand your
# IP address everytime you get a new IP. To do this, enable the following one-line
# script. (Please note that the different single and double quote characters MATTER).
#
#
# DHCP users:
# -----------
# If you get your TCP/IP address via DHCP, **you will need ** to enable the #ed out command
# below underneath the PPP section AND replace the word "ppp0" with the name of your EXTERNAL
# Internet connection (eth0, eth1, etc) on the lines for "ppp-ip" and "extip". It should be
# also noted that the DHCP server can change IP addresses on you. To fix this, users should
# configure their DHCP client to re-run the firewall ruleset everytime the DHCPlease is
# renewed.
#
# NOTE #1: Some newer DHCP clients like "pump" do NOT have this ability to run scripts
# after a lease-renew. Because of this, you need to replace it with something
# like "dhcpcd" or "dhclient".
#
# NOTE #2: The syntax for "dhcpcd" has changed in recent versions.
#
# Older versions used syntax like:
# dhcpcd -c /etc/rc.d/rc.firewall eth0
#
# Newer versions use syntax like:
# dhcpcd eth0 /etc/rc.d/rc.firewall
#
#
# PPP users:
# ----------
# If you aren't already aware, the /etc/ppp/ip-up script is always run when a PPP
# connection comes up. Because of this, we can make the ruleset go and get the
# new PPP IP address and update the strong firewall ruleset.
#
# If the /etc/ppp/ip-up file already exists, you should edit it and add a line
# containing "/etc/rc.d/rc.firewall" near the end of the file.
#
# If you don't already have a /etc/ppp/ip-up sccript, you need to create the following
# link to run the /etc/rc.d/rc.firewall script.
#
# ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up
#
# * You then want to enable the #ed out shell command below *
#
#
# PPP and DHCP Users:
# -------------------
# Remove the # on the line below and place a # in front of the line after that.
#

# Test and wait for ppp0 to come online with an IP Address
errcode=1
count=0
while [ $errcode -ne 0 ] && [ $((count)) -lt 10 ]
do
extip="`/sbin/ifconfig ppp0 2> /dev/null | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
/sbin/ifconfig ppp0 > /dev/null 2> /dev/null
errcode=$?
echo $extip | grep "."
errcode=$?
echo $((count++)) > /dev/null
done

while [ $((count)) -eq 10 ]
do
echo "Failed to retrieve ppp0 settings"
exit 1
done
# For PPP users with STATIC IP addresses:
#
#extip="your.static.PPP.address"

# ALL PPP and DHCP users must set this for the correct EXTERNAL interface name
extint="ppp0"

# Assign the internal IP
intint="eth1"
intnet="192.168.0.0/24"

# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall timeout in ICQ itself)
#
ipchains -M -S 7200 10 60

#############################################################################
# Incoming, flush and set default policy of reject. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F input
ipchains -P input REJECT

# local interface, local machines, going anywhere is valid
#
ipchains -A input -i $intint -s $intnet -d 0.0.0.0/0 -j ACCEPT

# remote interface, claiming to be local machines, IP spoofing, get lost
#
ipchains -A input -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT

# remote interface, any source, going to permanent PPP address is valid
#
ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT

# loopback interface is valid.
#
ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

# catch all rule, all other incoming is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT

#############################################################################
# Outgoing, flush and set default policy of reject. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F output
ipchains -P output REJECT

# local interface, any source going to local net is valid
#
ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT

# outgoing to local net on remote interface, stuffed routing, deny
#
ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet -l -j REJECT

# outgoing from local net on remote interface, stuffed masquerading, deny
#
ipchains -A output -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT

# anything else outgoing on remote interface is valid
#
ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT

# loopback interface is valid.
#
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

# catch all rule, all other outgoing is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT

#############################################################################
# Forwarding, flush and set default policy of deny. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F forward
ipchains -P forward DENY

# Masquerade from local net on local interface to anywhere.
#
ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ

#
# catch all rule, all other forwarding is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT

#End of file.

raz · 09-27-2001, 04:35 AM

Sorry I would have answered earlier but I've been moving houses over the last week and had not internet access.

Anyway I've looked at your script and it's not good, so here's one I made earlier that should work and make your system more secure.

PATH=/sbin:/bin:/usr/sbin:/usr/bin
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_vdolive
echo "1" > /proc/sys/net/ipv4/ip_forward
errcode=1
count=0
while [ $errcode -ne 0 ] && [ $((count)) -lt 10 ]
do
extip="`/sbin/ifconfig ppp0 2> /dev/null | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
/sbin/ifconfig ppp0 > /dev/null 2> /dev/null
errcode=$?
echo $extip | grep "."
errcode=$?
echo $((count++)) > /dev/null
done
while [ $((count)) -eq 10 ]
do
echo "Failed to retrieve ppp0 settings"
exit 1
done
interface name
extint="ppp0"
intint="eth1"
intnet="192.168.0.0/24"
# ---- changes ----
ipchains -P input REJECT
ipchains -P output REJECT
ipchains -P forward REJECT
ipchains -M -S 6800 15 200
ipchains -A forward -s 192.168.0.0/24 -j MASQ
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
ipchains -A input -i eth1 -s 192.168.0.0/24 -j ACCEPT
ipchains -A output -i eth1 -d 192.168.0.0/24 -j ACCEPT
ipchains -A input -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A input -i ppp0 -s 10.0.0.0/8 -d 0/0 -j REJECT –l
ipchains -A input -i ppp0 -s 172.16.0.0/12 -d 0/0 -j REJECT –l
ipchains -A input -i ppp0 -s 192.168.0.0/16 -d 0/0 -j REJECT –l
ipchains -A input -i ppp0 -s 127.0.0.0/8 -d 0/0 -j REJECT –l
ipchains -A input -i ppp0 -s 255.255.255.255 -j REJECT –l
ipchains -A input -i ppp0 -d 0.0.0.0 -j REJECT –l
ipchains -A input -p udp -d $extip/32 -s 0/0 33434:33600 -j REJECT –l
ipchains -A input -p tcp -s 0/0 -d $extip/32 --dport 1023:65535 -j ACCEPT
ipchains -A input -p tcp -s 0/0 -d $extip/32 --dport 0:1023 -j REJECT -l
ipchains -A output -p tcp -s 0/0 1023:65535 -d 0/0 -t 0x01 0x10 -j ACCEPT
ipchains -A output -p icmp -s 0/0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 3 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 4 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 9 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 12 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 14 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 18 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 8 -d 0/0 -j DENY –l
ipchains -A input -p icmp -s 0/0 --icmp-type 11 -d 0/0 -j DENY –l
ipchains -A input -p icmp -s 0/0 --icmp-type 10 -d 0/0 -j DENY –l