[lug] FW: ipchains incongruity

D. Stimits stimits at idcomm.com
Thu Mar 22 11:42:46 MST 2001 

I'm not familiar with the icmp rules, so I won't comment on them. I am
assuming this is a 2.4.x kernel? Also, there were no logged input
denies, so I won't comment on those, the problem is in output rules. One
possible snafu to mention ahead of time is that if you alter rules in
your "ipchains" file, and don't restart ipchains the correct way, you
could end up simply appending more rules and leaving the old ones in
place...infinite append. It might be a good idea to add flush rules (-F)
for each chain at the top of your file. I'm not sure if the startup
scripts for your distribution are smart enough to flush old rules before
running the file, but it wouldn't hurt to intentionally flush old rules
before appending new.

"Atkinson, Chip" wrote:
> 
> Greetings,
> 
> I am trying to get ipchains working on my machine and seem to be getting
> contradictory results.  The log shows denial yet the test using what I
> believe to be the data from the log entry shows acceptance.
> 
> It looks like output is getting denied, yet both input and output rules
> allow smtp
> in both directions, at least as far as I can tell.  What am I missing?
> 
> Thanks in advance.
> Chip
> 
... 
> Mar 22 07:16:30 poodle kernel: Packet log: output DENY ppp0 PROTO=6
> 199.45.150.249:25 199.45.150.1:13544 L=44 S=0x00 I=54145 F=0x4000 T=64
> (#6)
> 
... 
> Mar 22 07:16:33 poodle kernel: Packet log: output DENY ppp0 PROTO=6
> 199.45.150.249:25 199.45.150.1:13544 L=44 S=0x00 I=54159 F=0x4000 T=64
> (#6)
> 
> Mar 22 07:16:34 poodle kernel: Packet log: output DENY ppp0 PROTO=6
> 199.45.150.249:25 199.45.150.1:13544 L=44 S=0x00 I=54166 F=0x4000 T=64
> (#6)
> 
> Mar 22 07:16:40 poodle kernel: Packet log: output DENY ppp0 PROTO=6
> 199.45.150.249:25 199.45.150.1:13544 L=44 S=0x00 I=54193 F=0x4000 T=64
> (#6)

PROTO=6 will mean a tcp rule, so ignore any other protocol.

> 
> [root at poodle chains]# ipchains -L
> Chain input (policy ACCEPT):
> target     prot opt     source                destination           ports
...
> ACCEPT     tcp  ----l-  anywhere             anywhere              any ->
> smtp
...
> Chain output (policy ACCEPT):
> target     prot opt     source                destination           ports
...
> ACCEPT     tcp  ----l-  anywhere             anywhere              any ->
> smtp

smtp is relevant since port 25 is what failed on output.

...
> DENY       all  ----l-  anywhere             anywhere              n/a
> Chain icmp-acc (2 references):
> target     prot opt     source                destination           ports
...
> DENY       all  ----l-  anywhere             anywhere              n/a
> [root at poodle chains]#
> 
> [root at poodle chains]# cat ipchains
> #!/bin/bash

Maybe add flush rules here.

> #ipchains -P input  DENY -i ppp0
> #ipchains -P output  DENY -i ppp0
> #ipchains -P forward DENY -i ppp0
...
> 
> ipchains -A output -p icmp -i ppp0 -j icmp-acc
> ipchains -A output -p tcp -i ppp0 -s 0/0 -d 0/0 smtp -j ACCEPT -l
> ipchains -A output -p tcp -i ppp0 -d 0/0 ssh  -j ACCEPT -l
> ipchains -A output -p udp -i ppp0 -d 0/0 ssh  -j ACCEPT -l
> ipchains -A output -p tcp -i ppp0 -s 199.45.150.249 -d 199.45.150.1 telnet
> -j ACCEPT -l

The failed parts above are all port 25 tcp, smtp stuff. The above rule
is for telnet port only, so there is no ACCEPT for port 25 (I assume you
are sending email). Try adding a copy of this rule above, but instead of
"telnet", name port 25.

> ipchains -A output -i ppp0 -j DENY -l

Without a prior rule to accept output other than for port 23 (telnet),
you have now denied a large number of ports, including port 25.

> 
> exit
> 

D. Stimits, stimits at idcomm.com

PS: denial is a good thing. Even while writing this response, I had
someone testing my rpc port.

More information about the LUG mailing list