[lug] FW: ipchains incongruity

Atkinson, Chip CAtkinson at Circadence.com
Thu Mar 22 08:47:24 MST 2001 

Greetings,

I am trying to get ipchains working on my machine and seem to be getting
contradictory results.  The log shows denial yet the test using what I
believe to be the data from the log entry shows acceptance.  

It looks like output is getting denied, yet both input and output rules
allow smtp 
in both directions, at least as far as I can tell.  What am I missing?

Thanks in advance.
Chip

Mar 22 07:16:30 poodle kernel: Packet log: input ACCEPT ppp0 PROTO=6
199.45.150.1:13544 199.45.150.249:25 L=44 S=0x00 I=13763 F=0x0000 T=62
SYN (#2)

Mar 22 07:16:30 poodle kernel: Packet log: output DENY ppp0 PROTO=6
199.45.150.249:25 199.45.150.1:13544 L=44 S=0x00 I=54145 F=0x4000 T=64
(#6)

Mar 22 07:16:33 poodle kernel: Packet log: input ACCEPT ppp0 PROTO=6
199.45.150.1:13544 199.45.150.249:25 L=44 S=0x00 I=13812 F=0x0000 T=62
SYN (#2)

Mar 22 07:16:33 poodle kernel: Packet log: output DENY ppp0 PROTO=6
199.45.150.249:25 199.45.150.1:13544 L=44 S=0x00 I=54159 F=0x4000 T=64
(#6)

Mar 22 07:16:34 poodle kernel: Packet log: output DENY ppp0 PROTO=6
199.45.150.249:25 199.45.150.1:13544 L=44 S=0x00 I=54166 F=0x4000 T=64
(#6)

Mar 22 07:16:40 poodle kernel: Packet log: output DENY ppp0 PROTO=6
199.45.150.249:25 199.45.150.1:13544 L=44 S=0x00 I=54193 F=0x4000 T=64
(#6)

[root at poodle chains]# ipchains -L
Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
icmp-acc   icmp ------  anywhere             anywhere              any ->
any
ACCEPT     tcp  ----l-  anywhere             anywhere              any ->
smtp
ACCEPT     tcp  ----l-  anywhere             pupman.com            any ->
auth
ACCEPT     tcp  ----l-  anywhere             pupman.com            any ->
ssh
ACCEPT     udp  ----l-  anywhere             pupman.com            any ->
ssh
ACCEPT     tcp  !y--l-  ezlink.com           pupman.com            any ->
telnet
ACCEPT     tcp  ----l-  pupman.com           ezlink.com            any ->
telnet
DENY       all  ----l-  anywhere             anywhere              n/a
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
target     prot opt     source                destination           ports
icmp-acc   icmp ------  anywhere             anywhere              any ->
any
ACCEPT     tcp  ----l-  anywhere             anywhere              any ->
smtp
ACCEPT     tcp  ----l-  anywhere             anywhere              any ->
ssh
ACCEPT     udp  ----l-  anywhere             anywhere              any ->
ssh
ACCEPT     tcp  ----l-  pupman.com           ezlink.com            any ->
telnet
DENY       all  ----l-  anywhere             anywhere              n/a
Chain icmp-acc (2 references):
target     prot opt     source                destination           ports
ACCEPT     icmp ------  anywhere             anywhere
destination-unreachable
ACCEPT     icmp ------  pupman.com           anywhere
echo-request
ACCEPT     icmp ------  anywhere             pupman.com
echo-reply
ACCEPT     icmp ------  anywhere             anywhere
source-quench
ACCEPT     icmp ------  anywhere             anywhere
time-exceeded
ACCEPT     icmp ------  anywhere             anywhere
parameter-problem
DENY       all  ----l-  anywhere             anywhere              n/a
[root at poodle chains]# 

[root at poodle chains]# cat ipchains 
#!/bin/bash
#ipchains -P input  DENY -i ppp0 
#ipchains -P output  DENY -i ppp0 
#ipchains -P forward DENY -i ppp0 
ipchains -F icmp-acc
ipchains -X icmp-acc
ipchains -N icmp-acc

ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-acc -p icmp -d 0/0 -s pupman.com  --icmp-type echo-request
-j ACCEPT
ipchains -A icmp-acc -p icmp -s 0/0 -d pupman.com --icmp-type echo-reply  -j
ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
ipchains -A icmp-acc -j DENY -l


ipchains -A input -p icmp -i ppp0 -j icmp-acc
ipchains -A input -p tcp -i ppp0 -s 0/0 -d 0/0 smtp -j ACCEPT -l
ipchains -A input -p tcp -i ppp0 -d 199.45.150.249 auth -j ACCEPT -l
ipchains -A input -p tcp -i ppp0 -d 199.45.150.249 ssh  -j ACCEPT -l
ipchains -A input -p udp -i ppp0 -d 199.45.150.249 ssh  -j ACCEPT -l
ipchains -A input -p tcp -i ppp0 ! -y -s 199.45.150.1 -d 199.45.150.249
telnet -j ACCEPT -l
ipchains -A input -p tcp -i ppp0 -s 199.45.150.249 -d 199.45.150.1 telnet
-j ACCEPT -l
ipchains -A input -i ppp0 -j DENY -l

ipchains -A output -p icmp -i ppp0 -j icmp-acc
ipchains -A output -p tcp -i ppp0 -s 0/0 -d 0/0 smtp -j ACCEPT -l
ipchains -A output -p tcp -i ppp0 -d 0/0 ssh  -j ACCEPT -l
ipchains -A output -p udp -i ppp0 -d 0/0 ssh  -j ACCEPT -l
ipchains -A output -p tcp -i ppp0 -s 199.45.150.249 -d 199.45.150.1 telnet
-j ACCEPT -l
ipchains -A output -i ppp0 -j DENY -l


exit

More information about the LUG mailing list