Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How-To: single machine ipchains firewall on RH7 2

Status
Not open for further replies.
goBoating

goBoating

Programmer
Feb 8, 2000
1,606
US
For several months, during evenings and weekends, I have been building
a RH7 replacement for my Win98. RH7 is installed and works as expected.
I installed a new network card to talk to my DSL and that works.

I have done a fair amount of reading about setting up a firewall with
ipchains but I am having trouble clearing the fog. All of the examples and
discussions on ipchains that I have found describe setting up a machine
as a firewall between the internet and an intranet of some other machines
using two ethernet interfaces. However, I just have the one machine with one
interface, eth0. I need to set up some ipchains rules that will close my
machine and then allow my machine to use the internet and to run an Apache
web server.

I can see how these turn of the three streams, (input, output, and forward)
/sbin/ipchains -A DENY -j input
/sbin/ipchains -A DENY -j output
/sbin/ipchains -A DENY -j forward

[...working from memory - I might have the wrong tag, '-j' or other not quite right]

THE QUESTION: once everything is DENIED, is it possible to add two rules?
One that will allow TCP traffic to/from the world that is initiated by my machine?
And a second to allow TCP traffic from the world to hit Apache on port 08?

I have tried a number of rules, but, I must be approaching the idea incorrectly.
I have tried a number of rule configurations with no luck.
It seems like I should be able to add two fairly straight forward lines to get the
desired effect.

Any examples or pointers to good ipchains primers would be appreciated.

Thanks


keep the rudder amid ship and beware the odd typo
 
Sort by date Sort by votes
Hi,





Firstly, are you aware that RH 7.x ships with a firewall named 'lokkit' that can be configured thru graphical screens ? To administer it just enter 'lokkit' from the console or 'gnome-lokkit' from an Xterm. If it's not installed, the RPMs you want are of the same name (you only really need 'lokkit' - 'gnome-lokkit' is just a graphical front-end.





If you want to do it yourself then its not that difficult. Basically you set a default policy to allow everything or deny everything and then code the exception rules. For example, if your default is 'DENY' you just code for the situations you wish to accept. If you want to set a default of 'ALLOW' you need to code rules that block what you want to block. There are three default chains : (i) input deals with packets arriving at the firewall for the firewall (ii) output deals with packets originating at the firewall going out (iii) forward deals with packets passing through the firewall - typically to other machines on a lan. So, for you, you only need to code for 'input' and 'output' and to deny all forwarding.





So (with ipchains) you do something like this :





ipchains -F

(Flush all existing chains)
ipchains -P input DENY


ipchains -P output DENY


ipchains -P forward DENY





# allow tcp all ports if not originating outside


ipchains -A output -i eth0 -p tcp -s 172.16.16.1 -d any/0 -j ACCEPT


ipchains -A input -i eth0 -p tcp ! -y -s any/0 -d 172.16.16.1 -j ACCEPT


# this allows dns lookup via udp port 53


ipchains -A output -i eth0 -p udp -s 172.16.16.1 -d any/0 53 -j ACCEPT


ipchains -A input -i eth0 -p udp -s any/0 53 -d 172.16.16.1 1024:65535 - ACCEPT


# allow inbound

ipchains -A input -i eth0 -p tcp -s any/0 1024:65535 -d 172.16.16.1 80 -j ACCEPT


ipchains -A output -i eth0 -p tcp ! -y -s 172.16.16.1 80 -d any/0 1024:65535 -j ACCEPT


# allow inbound (ssl)

ipchains -A input -i eth0 -p tcp -s any/0 1024:65535 -d 172.16.16.1 443 -j ACCEPT


ipchains -A output -i eth0 -p tcp ! -y -s 172.16.16.1 443 -d any/0 1024:65535 -j ACCEPT








And so on..



In the above example I've used '172.16.16.1' for your eth0 ip address. Obviously, substitute you actual address, or if it's dynamically allocated (via DHCP) you could just use 'any/0' which will match any ip address.



The problem you may find with a default of deny is that you stop some services like real-audio (insofar as they use udp) until you have coded some accept rules. I just coded for port 53 above - you could accept any udp packets by removing the '53' but, if so, you can't block inbound connex attempts because, unlike tcp, there is no 'SYN' flag to indicate an initiation attempt (the '! -y' in the rules above means NOT SYN).





Hope this is clear enough, Regards
 
Upvote 0 Downvote
excellent - thanks for the timely and informative response.

I must say.....
I have participated in TTs for a while now in the Perl and CGI forums. I wondered wether or not the quality of assistance in the Perl and CGI forums was above average for TTs or was it just typical of the entire TT community. The timeliness and quality of the responses I have received in the Linux forums indicates that there are at least four very good online resources on the net.
Tek-Tips:
Linux/Server
Linux/Desktop
Perl
CGI.

many thanks to ifincham


keep the rudder amid ship and beware the odd typo
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SamBones
  • Locked
  • Question
How Do I Start/Stop Systemd Services as a non-root User?
Replies
2
Views
721
gbaughma
gbaughma
donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
338
spamjim
spamjim
bhuv560
  • Locked
  • Question
Postfix Installation on EC2 AWS Linux
Replies
0
Views
159
bhuv560
bhuv560
gregor weertman
  • Locked
  • Question
set samba "template shell" dependent on group
Replies
0
Views
136
gregor weertman
gregor weertman
lslamp
  • Locked
  • Question
Bash Onliner ... 1
Replies
2
Views
274
lslamp
lslamp

Part and Inventory Search

Sponsor

Back
Top