FW: [lug] FW: ipchains incongruity

Atkinson, Chip CAtkinson at Circadence.com
Thu Mar 22 11:53:41 MST 2001 

Sorry. I hit send before finishing.  Here's the right version:

-----Original Message-----
From: Atkinson, Chip 
Sent: Thursday, March 22, 2001 11:50 AM
To: 'lug at lug.boulder.co.us'
Subject: RE: [lug] FW: ipchains incongruity


Thanks for the reply.  Sorry for leaving out all that information.  The
kernel I'm using is a 2.2 kernel.  I run the script, check to see if it
works and if it doesn't, which has been the case, run ipchains -F to restore
to the working original configuration.  I'm not putting the rules into any
place that they could be run automatically.  

The weird thing is that I take the deny message from the log and make the
test command and it replies accepted.

Thus, I take 
Mar 22 07:16:30 poodle kernel: Packet log: output DENY ppp0 PROTO=6
199.45.150.249:25 199.45.150.1:13544 L=44 S=0x00 I=54145 F=0x4000 T=64 (#6)

and make the command 
ipchains -C output -i ppp0 -s 199.45.159.249 25 -d 199.45.150.1 smtp 
and get accepted.

That's why I'm puzzled.

Sorry again for the previous bogus post.

Chip


> -----Original Message-----
> From: D. Stimits [mailto:stimits at idcomm.com]
> Sent: Thursday, March 22, 2001 11:43 AM
> To: lug at lug.boulder.co.us
> Subject: Re: [lug] FW: ipchains incongruity
> 
> 
> I'm not familiar with the icmp rules, so I won't comment on them. I am
> assuming this is a 2.4.x kernel? Also, there were no logged input
> denies, so I won't comment on those, the problem is in output 
> rules. One
> possible snafu to mention ahead of time is that if you alter rules in
> your "ipchains" file, and don't restart ipchains the correct way, you
> could end up simply appending more rules and leaving the old ones in
> place...infinite append. It might be a good idea to add flush 
> rules (-F)
> for each chain at the top of your file. I'm not sure if the startup
> scripts for your distribution are smart enough to flush old 
> rules before
> running the file, but it wouldn't hurt to intentionally flush 
> old rules
> before appending new.
> 
> "Atkinson, Chip" wrote:
> > 
> > Greetings,
> > 
> > I am trying to get ipchains working on my machine and seem 
> to be getting
> > contradictory results.  The log shows denial yet the test 
> using what I
> > believe to be the data from the log entry shows acceptance.
> > 
> > It looks like output is getting denied, yet both input and 
> output rules
> > allow smtp
> > in both directions, at least as far as I can tell.  What am 
> I missing?
> > 
> > Thanks in advance.
> > Chip
> > 
> ... 
> > Mar 22 07:16:30 poodle kernel: Packet log: output DENY ppp0 PROTO=6
> > 199.45.150.249:25 199.45.150.1:13544 L=44 S=0x00 I=54145 
> F=0x4000 T=64
> > (#6)
> > 
> ... 
> > Mar 22 07:16:33 poodle kernel: Packet log: output DENY ppp0 PROTO=6
> > 199.45.150.249:25 199.45.150.1:13544 L=44 S=0x00 I=54159 
> F=0x4000 T=64
> > (#6)
> > 
> > Mar 22 07:16:34 poodle kernel: Packet log: output DENY ppp0 PROTO=6
> > 199.45.150.249:25 199.45.150.1:13544 L=44 S=0x00 I=54166 
> F=0x4000 T=64
> > (#6)
> > 
> > Mar 22 07:16:40 poodle kernel: Packet log: output DENY ppp0 PROTO=6
> > 199.45.150.249:25 199.45.150.1:13544 L=44 S=0x00 I=54193 
> F=0x4000 T=64
> > (#6)
> 
> PROTO=6 will mean a tcp rule, so ignore any other protocol.
> 
> > 
> > [root at poodle chains]# ipchains -L
> > Chain input (policy ACCEPT):
> > target     prot opt     source                destination   
>         ports
> ...
> > ACCEPT     tcp  ----l-  anywhere             anywhere       
>        any ->
> > smtp
> ...
> > Chain output (policy ACCEPT):
> > target     prot opt     source                destination   
>         ports
> ...
> > ACCEPT     tcp  ----l-  anywhere             anywhere       
>        any ->
> > smtp
> 
> smtp is relevant since port 25 is what failed on output.
> 
> ...
> > DENY       all  ----l-  anywhere             anywhere       
>        n/a
> > Chain icmp-acc (2 references):
> > target     prot opt     source                destination   
>         ports
> ...
> > DENY       all  ----l-  anywhere             anywhere       
>        n/a
> > [root at poodle chains]#
> > 
> > [root at poodle chains]# cat ipchains
> > #!/bin/bash
> 
> Maybe add flush rules here.
> 
> > #ipchains -P input  DENY -i ppp0
> > #ipchains -P output  DENY -i ppp0
> > #ipchains -P forward DENY -i ppp0
> ...
> > 
> > ipchains -A output -p icmp -i ppp0 -j icmp-acc
> > ipchains -A output -p tcp -i ppp0 -s 0/0 -d 0/0 smtp -j ACCEPT -l
> > ipchains -A output -p tcp -i ppp0 -d 0/0 ssh  -j ACCEPT -l
> > ipchains -A output -p udp -i ppp0 -d 0/0 ssh  -j ACCEPT -l
> > ipchains -A output -p tcp -i ppp0 -s 199.45.150.249 -d 
> 199.45.150.1 telnet
> > -j ACCEPT -l
> 
> The failed parts above are all port 25 tcp, smtp stuff. The above rule
> is for telnet port only, so there is no ACCEPT for port 25 (I 
> assume you
> are sending email). Try adding a copy of this rule above, but 
> instead of
> "telnet", name port 25.
> 
> > ipchains -A output -i ppp0 -j DENY -l
> 
> Without a prior rule to accept output other than for port 23 (telnet),
> you have now denied a large number of ports, including port 25.
> 
> > 
> > exit
> > 
> 
> D. Stimits, stimits at idcomm.com
> 
> PS: denial is a good thing. Even while writing this response, I had
> someone testing my rpc port.
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>

More information about the LUG mailing list