FW: [lug] FW: ipchains incongruity
D. Stimits
stimits at idcomm.com
Thu Mar 22 12:03:50 MST 2001
"Atkinson, Chip" wrote:
>
> Sorry. I hit send before finishing. Here's the right version:
>
> -----Original Message-----
> From: Atkinson, Chip
> Sent: Thursday, March 22, 2001 11:50 AM
> To: 'lug at lug.boulder.co.us'
> Subject: RE: [lug] FW: ipchains incongruity
>
> Thanks for the reply. Sorry for leaving out all that information. The
> kernel I'm using is a 2.2 kernel. I run the script, check to see if it
> works and if it doesn't, which has been the case, run ipchains -F to restore
> to the working original configuration. I'm not putting the rules into any
> place that they could be run automatically.
>
> The weird thing is that I take the deny message from the log and make the
> test command and it replies accepted.
>
> Thus, I take
> Mar 22 07:16:30 poodle kernel: Packet log: output DENY ppp0 PROTO=6
> 199.45.150.249:25 199.45.150.1:13544 L=44 S=0x00 I=54145 F=0x4000 T=64 (#6)
>
> and make the command
> ipchains -C output -i ppp0 -s 199.45.159.249 25 -d 199.45.150.1 smtp
> and get accepted.
I see the above ipchains -C and wonder about something. The source is
explicitly port 25. The destination is also smtp, or port 25. In order
for this one to accept, both source and destination must be port 25.
When using email sends, only the destination will be port 25, unless you
are winning the lottery that day. Try with source allowing any port.
>
> That's why I'm puzzled.
>
> Sorry again for the previous bogus post.
>
> Chip
>
> > -----Original Message-----
> > From: D. Stimits [mailto:stimits at idcomm.com]
> > Sent: Thursday, March 22, 2001 11:43 AM
> > To: lug at lug.boulder.co.us
> > Subject: Re: [lug] FW: ipchains incongruity
> >
> >
> > I'm not familiar with the icmp rules, so I won't comment on them. I am
> > assuming this is a 2.4.x kernel? Also, there were no logged input
> > denies, so I won't comment on those, the problem is in output
> > rules. One
> > possible snafu to mention ahead of time is that if you alter rules in
> > your "ipchains" file, and don't restart ipchains the correct way, you
> > could end up simply appending more rules and leaving the old ones in
> > place...infinite append. It might be a good idea to add flush
> > rules (-F)
> > for each chain at the top of your file. I'm not sure if the startup
> > scripts for your distribution are smart enough to flush old
> > rules before
> > running the file, but it wouldn't hurt to intentionally flush
> > old rules
> > before appending new.
> >
> > "Atkinson, Chip" wrote:
> > >
> > > Greetings,
> > >
> > > I am trying to get ipchains working on my machine and seem
> > to be getting
> > > contradictory results. The log shows denial yet the test
> > using what I
> > > believe to be the data from the log entry shows acceptance.
> > >
> > > It looks like output is getting denied, yet both input and
> > output rules
> > > allow smtp
> > > in both directions, at least as far as I can tell. What am
> > I missing?
> > >
> > > Thanks in advance.
> > > Chip
> > >
> > ...
> > > Mar 22 07:16:30 poodle kernel: Packet log: output DENY ppp0 PROTO=6
> > > 199.45.150.249:25 199.45.150.1:13544 L=44 S=0x00 I=54145
> > F=0x4000 T=64
> > > (#6)
> > >
> > ...
> > > Mar 22 07:16:33 poodle kernel: Packet log: output DENY ppp0 PROTO=6
> > > 199.45.150.249:25 199.45.150.1:13544 L=44 S=0x00 I=54159
> > F=0x4000 T=64
> > > (#6)
> > >
> > > Mar 22 07:16:34 poodle kernel: Packet log: output DENY ppp0 PROTO=6
> > > 199.45.150.249:25 199.45.150.1:13544 L=44 S=0x00 I=54166
> > F=0x4000 T=64
> > > (#6)
> > >
> > > Mar 22 07:16:40 poodle kernel: Packet log: output DENY ppp0 PROTO=6
> > > 199.45.150.249:25 199.45.150.1:13544 L=44 S=0x00 I=54193
> > F=0x4000 T=64
> > > (#6)
> >
> > PROTO=6 will mean a tcp rule, so ignore any other protocol.
> >
> > >
> > > [root at poodle chains]# ipchains -L
> > > Chain input (policy ACCEPT):
> > > target prot opt source destination
> > ports
> > ...
> > > ACCEPT tcp ----l- anywhere anywhere
> > any ->
> > > smtp
> > ...
> > > Chain output (policy ACCEPT):
> > > target prot opt source destination
> > ports
> > ...
> > > ACCEPT tcp ----l- anywhere anywhere
> > any ->
> > > smtp
> >
> > smtp is relevant since port 25 is what failed on output.
> >
> > ...
> > > DENY all ----l- anywhere anywhere
> > n/a
> > > Chain icmp-acc (2 references):
> > > target prot opt source destination
> > ports
> > ...
> > > DENY all ----l- anywhere anywhere
> > n/a
> > > [root at poodle chains]#
> > >
> > > [root at poodle chains]# cat ipchains
> > > #!/bin/bash
> >
> > Maybe add flush rules here.
> >
> > > #ipchains -P input DENY -i ppp0
> > > #ipchains -P output DENY -i ppp0
> > > #ipchains -P forward DENY -i ppp0
> > ...
> > >
> > > ipchains -A output -p icmp -i ppp0 -j icmp-acc
> > > ipchains -A output -p tcp -i ppp0 -s 0/0 -d 0/0 smtp -j ACCEPT -l
> > > ipchains -A output -p tcp -i ppp0 -d 0/0 ssh -j ACCEPT -l
> > > ipchains -A output -p udp -i ppp0 -d 0/0 ssh -j ACCEPT -l
> > > ipchains -A output -p tcp -i ppp0 -s 199.45.150.249 -d
> > 199.45.150.1 telnet
> > > -j ACCEPT -l
> >
> > The failed parts above are all port 25 tcp, smtp stuff. The above rule
> > is for telnet port only, so there is no ACCEPT for port 25 (I
> > assume you
> > are sending email). Try adding a copy of this rule above, but
> > instead of
> > "telnet", name port 25.
> >
> > > ipchains -A output -i ppp0 -j DENY -l
> >
> > Without a prior rule to accept output other than for port 23 (telnet),
> > you have now denied a large number of ports, including port 25.
> >
> > >
> > > exit
> > >
> >
> > D. Stimits, stimits at idcomm.com
> >
> > PS: denial is a good thing. Even while writing this response, I had
> > someone testing my rpc port.
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list