|
-
September 25th, 2002, 01:26 AM
#1
Senior Member
Help with setting up ipchains firewall
Ok, so I found out I don't know much about tcp/ip and firewalls. But, I couldn't find any documents on the internet on this topic (maybe I was searching wrong...I don't know)
So I was hoping you guys would help. I found out the problem with my first setup: I was blocking all the local ports (ports > 1024). So, that meant I couldn't make a successful tcp connection with any service.
I read something about the -y flag with ipchains in a few documents, but none of them clearly explained what it does. I was basically shooting in the dark with trial and error with the -y flag everywhere. Here's my current config:
(Input)
target prot opt source dest ports
ACCEPT tcp -y---- 0.0.0.0/0 192.168.2.196 * -> 25
ACCEPT tcp -y---- 192.168.2.0/24 192.168.2.196 * -> 110
ACCEPT icmp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
Foward (polict accept)
Output:
ACCEPT tcp -y---- 192.168.2.196 0/0 20 -> *
ACCEPT tcp -y--- 192.168.2.196 0/0 * -> 53
ACCEPT udp -y--- 192.168.2.196 0/0 * -> 53
ACCEPT tcp -y---- 192.168.2.196 0.0.0.0/0 * -> 25
DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
I know something is wrong, but what?? Could someone explain what the -y flag is and how to use it??
Thanks
-Mike
Either get busy living or get busy dying.
-The Sawshank Redemption
-
September 25th, 2002, 04:31 AM
#2
Got this of the ipchains manual:
*******************************
Only match TCP packets with the SYN bit set and the ACK and FIN bits cleared. Such packets are used to request TCP connection initiation; for example, blocking such packets coming in an interface will prevent incoming TCP connections, but outgoing TCP con*nections will be unaffected. This option is only meaningful when the protocol type is set to TCP. If the "!" flag precedes the "-y", the sense of the option is inverted.
********************************
I could be totally wrong, but I think that this is ipchains method of allowing TCP replies to outbound TCP traffic, cause TCP traffic, unlike UDP traffic, establishes a connection where the computers can talk back and forth over the one TCP session.
If my assumption is correct, if you left the "-y" out of the rule, your SYN packet would be allowed to leave your machine, but the destination hosts "SYN/ACK" packet would be blocked.
Feel free to correct me if I am wrong....
SoggyBottom.
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]
-
September 25th, 2002, 09:54 PM
#3
Senior Member
I tried getting pop3 to work first, by first setting ! -y in both input and output, then tried -y in both input and output, then just -y in input, but still no luck. 
Either get busy living or get busy dying.
-The Sawshank Redemption
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote