Help with setting up ipchains firewall
Results 1 to 3 of 3

Thread: Help with setting up ipchains firewall

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    214

    Help with setting up ipchains firewall

    Ok, so I found out I don't know much about tcp/ip and firewalls. But, I couldn't find any documents on the internet on this topic (maybe I was searching wrong...I don't know)

    So I was hoping you guys would help. I found out the problem with my first setup: I was blocking all the local ports (ports > 1024). So, that meant I couldn't make a successful tcp connection with any service.

    I read something about the -y flag with ipchains in a few documents, but none of them clearly explained what it does. I was basically shooting in the dark with trial and error with the -y flag everywhere. Here's my current config:

    (Input)
    target prot opt source dest ports
    ACCEPT tcp -y---- 0.0.0.0/0 192.168.2.196 * -> 25
    ACCEPT tcp -y---- 192.168.2.0/24 192.168.2.196 * -> 110
    ACCEPT icmp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
    DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
    DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> *

    Foward (polict accept)

    Output:
    ACCEPT tcp -y---- 192.168.2.196 0/0 20 -> *
    ACCEPT tcp -y--- 192.168.2.196 0/0 * -> 53
    ACCEPT udp -y--- 192.168.2.196 0/0 * -> 53
    ACCEPT tcp -y---- 192.168.2.196 0.0.0.0/0 * -> 25
    DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
    DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> *


    I know something is wrong, but what?? Could someone explain what the -y flag is and how to use it??

    Thanks
    -Mike
    Either get busy living or get busy dying.

    -The Sawshank Redemption

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    Got this of the ipchains manual:

    *******************************
    Only match TCP packets with the SYN bit set and the ACK and FIN bits cleared. Such packets are used to request TCP connection initiation; for example, blocking such packets coming in an interface will prevent incoming TCP connections, but outgoing TCP con*nections will be unaffected. This option is only meaningful when the protocol type is set to TCP. If the "!" flag precedes the "-y", the sense of the option is inverted.
    ********************************

    I could be totally wrong, but I think that this is ipchains method of allowing TCP replies to outbound TCP traffic, cause TCP traffic, unlike UDP traffic, establishes a connection where the computers can talk back and forth over the one TCP session.

    If my assumption is correct, if you left the "-y" out of the rule, your SYN packet would be allowed to leave your machine, but the destination hosts "SYN/ACK" packet would be blocked.

    Feel free to correct me if I am wrong....
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    214
    I tried getting pop3 to work first, by first setting ! -y in both input and output, then tried -y in both input and output, then just -y in input, but still no luck.
    Either get busy living or get busy dying.

    -The Sawshank Redemption

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •