Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Ipchains/firewall

Status
Not open for further replies.
seanf77

seanf77

IS-IT--Management
Oct 11, 2001
29
0
0
US
I am new to firewalling with Linux, and so I found this nifty command-line utility called PMFirewall. It ask you a bunch of questions (what is your external interface, etc.) and then generates a script which basically uses a bunch of ipchains rule sets. I told it to free up port 80, so that I can use the web from my clients. However, as a test instead of setting the rule to accept packets on port 80 I told it to DENY, thus expecting my ability to access the web to be interrupted. However, this was not the case. After flushing out and reloading the rule set, I am still able to access the web. I tried manually writing an rc.firewall script and had the same problems...seems like it will accept everything regardless of the rules...What am I doing wrong? Is there any other decent GUI (or non-GUI) firewall utilities out there?

Thanks!
 
Sort by date Sort by votes
If your distro came with Lokkit, you might try using that, it's much easier for newbies. I'm confused about the web access though. Are you saying people can access your webserver from the outside world after blocking port 80? Port 80 is the port web browsers use as default. Unless your dns record tells them something else AND you have httpd.conf Listening to otherports the problem is with your ipchains. If you are saying that you can access the web after blocking port 80, then that would be correct since web browsers don't use port 80 to access the web, only to access web servers. One other reason you may be able to connect to your server is if your machine is set to the same domain and ip as your server. In that case it will try to access the server through loop back or 127.0.0.1. This usually happens if you have BindAddress * or Listen * in httpd.conf. Try to access your server from the outside world to see if it is actually letting people in on the blocked port.
 
Upvote 0 Downvote
Hi,















Need a bit more detail on what your setup is. Are you sure that iptables is not active (you can't use both ipchains and iptables) ?. Your active rules can be listed thus (as root) :















/sbin/iptables -L















or















/sbin/ipchains -L















If you talking about accessing the web from another machine via the linux box then you may have coded the wrong chains. With Ipchains that needs you to code all three of the input -> forward -> output chains. By comparison iptables only requires coding the forward chain and sometimes this causes problems as people to input / output (which affect the linux box itself) but not the forward chain.















Some other firewall generators : Firestarter --> Shorewall / Shoreline (iptables based) -->






See also --> .















Regards
 
Upvote 0 Downvote

You wanted not to be able to access external webservers
as a test right?

ipchains -A output -s 0/0 -d 0/0 -p tcp --dport 80 -j DENY

A piece of advice for everyone who depends on PMfirewall or lokkit, or some vendor provided utility script to firewall your box: don't. Learn the rules yourself and at least
become familiar with them. man ipchains

Happy Holidays.
 
Upvote 0 Downvote
Sorry for all the confusion. I think I see the error in my ways though. Here is my setup: I have a Linux box acting as a firewall/gateway/masq, with a Windows box sitting behind it. I originally thought that if I closed down port 80 on the firewall, that my Windows box would not be able to access the web. However, I realize now that I was applying this rule to the input chain on the external interface, and not the output chain (does this make sense?). But from what everyone has said an internal web client does not use port 80 to access the Internet?

My next question is that I was playing around with different ports and using Shields up! to see what kind of results I would get. Not sure how accurate Shields Up really is, but I noticed that, for example, when I did not apply any ipchain rule to port 21, it would show up in Shields Up as being in Stealth mode. If I told it to accept packets on port 21, it shows up as being closed (I expected Shields Up to come back and say it was open). Does this also make sense?

Thanks everyone in advance for your help...sorry for all of the dumb questions :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

nyck
  • Locked
  • Question
RHEL6.3 firewall issue
Replies
3
Views
61
nyck
nyck
fzx5v0
  • Locked
  • Question
IPTables outgoing firewall rules
Replies
1
Views
50
minicompbx
minicompbx
Argonto
  • Locked
  • Question
Accessing Website behind firewall through another website on the same network
Replies
1
Views
46
normntwrk
normntwrk
bazil2
  • Locked
  • Question
Configuring a firewall to accept SFTP incoming 2
Replies
3
Views
54
ChrisHirst
ChrisHirst
DrB0b
  • Locked
  • Question
Creating a "Hardware" firewall w/ Debian 6.0.3
Replies
3
Views
35
Noway2
Noway2

Part and Inventory Search

Sponsor

Back
Top