[lug] RH 7.x word of caution

Kevin Fenzi kevin at ashara.scrye.com
Wed Jun 6 22:25:38 MDT 2001 

>>>>> "DStimits" == D Stimits <stimits at idcomm.com> writes:

DStimits> Somehow failing to check the return value of something so
DStimits> significant reminds me of the story of a supertanker that
DStimits> went under and killed everyone onboard because a small
DStimits> personel hatch at the bow wasn't latched.

indeed. It's pretty apparent that they don't expect most people to
upgrade the kernel they are using. The stock redhat kernel works fine
with the ipchains module. ;( 

DStimits> I'm having a hell of a time finding complete info on
DStimits> netfilter. The man pages, HOWTO, FAQ, kernel Documentation,
DStimits> so on, are all very incomplete.  One of my problems is that

really? I found the netfilter-HOWTO to be pretty good. 
Avaliable at
packetstorm.securify.com/UNIX/firewall/ipchains/netfilter/ 
(and other places). 
Perhaps thats just me tho... :)

DStimits> apparently there is a different kernel module required for
DStimits> each change, DENY, one for REJECT (or is it DROP?), one for
DStimits> MASQ, so on. I have compiled with a ton of iptables modules
DStimits> enabled, but I cannot get the right module for DENY. The

yeah, the netfilter stuff is set to be pretty modular. This allows you
to easily add things. However, the targets: ACCEPT, DROP, QUEUE, or
RETURN are all built into the ip_tables module.

DStimits> kernel Documentation/Configure.help does not give direct
DStimits> comments to say that a particular module is used for

yeah, it's unclear on that. 

DStimits> DENY. Worse, some of the old ipchains functionality, it
DStimits> simply states it is now required to be downloaded
DStimits> separately...one can find this separate source, and even
DStimits> install it, but there is absolutely no useful documentation

huh? what is required to be downloaded seperatly? cite? 

DStimits> after that...I fail to see how RH ever got the 2.4.2 kernel
DStimits> they use to work with ipchains. If using iptables -t filter,

they load the 'ipchains' compatibility module. Then everything works
just like 2.2.x... 

DStimits> some parts are very similar to ipchains, but when I try them
DStimits> and restart iptables, it does not work as expected (no
DStimits> denial or reject seems possible, but the machine at the
DStimits> other end gave error reports...the chain rule I tried did
DStimits> not block or drop, but it did mangle things to the point
DStimits> that xinetd had to be restarted on the other end).

the sender had to restart? thats very weird. What was in your chain? 

DStimits> I will look at freshmeat, but I would be very happy if
DStimits> someone here could tell me exactly what modules in the more
DStimits> recent kernels (I am using 2.4.5 with ac patches or 2.4.6
DStimits> pre1 at the moment...except when connected to the internet I
DStimits> must use 2.4.2) I need to do the following: ACCEPT REJECT
DStimits> DENY MASQ

ACCEPT and DROP are builtin. 
REJECT requires the ipt_REJECT.o module be loaded. (It should autoload
tho...you shouldn't have to do anything special except make sure it's
there). 
MASQ is taken care of by the 'nat' table. 

Perhaps a simple example would help?

---cut---
#!/bin/sh
#
# flush all rules
#
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F POSTROUTING -t nat
/sbin/iptables -F PREROUTING -t nat
#
# allow all icmp through if it's for our machine
#
/sbin/iptables -A INPUT -p icmp -s 0/0 -d your-outside-ip -j ACCEPT
#
# allow ssh from outside
#
/sbin/iptables -A INPUT -p tcp -s 0/0 -d your-outside-ip --dport 22 -j ACCEPT
#
# masquerade internal machines
#
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#
# redirect ssh into an internal machine
#
/sbin/iptables -t nat -A PREROUTING -p tcp -d your-outside-ip/32 --dport 22 -j DNAT --to-destination 10.1.1.1
#
# log and drop everything else.
#
/sbin/iptables -A INPUT -j LOG --log-prefix "DROPPING packet: "
/sbin/iptables -A INPUT -j DROP

---cut---

DStimits> Next, can anyone tell me how to log? I see vague references
DStimits> to syslog.conf containing the log levels, but absolutely no
DStimits> samples. Is it not possible to create a rule that
DStimits> simultaneously REJECTs or DENYs, while logging? Does each
DStimits> log type also need its own kernel module?  Documentation
DStimits> totally sucks.

you need to have a LOG target before the rule you are DROPing or
REJECTING. See above. ;)

DStimits> Needless to say, I'm not having any fun yet.

awwww...learning is fun! ;)

DStimits> D. Stimits, stimits at idcomm.com

kevin

More information about the LUG mailing list