[Gllug] ipchains, nat and hosts.allow

Murray murray at minty.org
Wed Dec 18 01:04:26 UTC 2002 

probably an annoying newbie question, but I'm thoroughly stuck...
...it concerns configuring ipchains correctly/safely/properly on my little
home server.

------------------------------------------------------------

the setup I have is this:

adsl modem  <->  linux box  <-> internal network

- the internal network is a couple of laptops.
- the linux box is supposed to be my "internal" firewall, and also a
webserver, server, etc.
- the adsl modem has NAT, which is effectively my "external" firewall.

I'm trying to allow web/ssh access from a restricted ip range.  Namely,
opening the box up, but not to the entire world.  I know ideally I should
have another dedicated firewall box, and not be using one box to do the
firewalling and other things too, but I only have the one box for now.
So....

I've configured the adsl modem to forward port 80 to port 8080 on my linux
box, which is where I'm running apache.

And that is working a little *too* well. When I telnet from a remote server
to my external ip (on port 80) it connects without any problem.

I was assuming the internal firewall (running on the linux box) ought to be
rejecting all external packets. It appears not, which makes me think I've
got ipchains configured wrongly.  This is where I come clean and admit I'm
really getting really confused with ipchains...

so the question is, how do I configure ipchains to
- continue MASQuarading for internal machines (which it is currently)
- reject all external connections (which it currently is not)
  - which should only be coming in on port 8080, as the "external" firewall,
aka the adsl modem should be blocking everything else
  - I'm telneting (from remote server) to port 80, but the adsl modem is
then mapping this to port 8080 (internall).
- enable external connection (on port 8080 internally, port 80 externally)
from a specified ip range.

I'm figuring the ipchains commands I need are something like this:

  ipchains -I input -j ACCEPT -i eth1 -p tcp -s 123.456.78.9 -d 192.168.2.10
8080
  ipchains -I output -j ACCEPT -i eth1 -p tcp -s 192.168.2.10 8080 -d
123.456.78.9

where 123.456.78.9 is the remote IP I would like to allow to connect.

But the current setup appears not to be blocking everything else, and that
in truth, is where I am stuck. (I've not yet added the ipchains rules above,
as until I block out everything else, there doesn't seem much point enabling
a restricted ip chain rule).

assuming I can get that working, I figure opening up port 23 for ssh is
pretty much the same deal.

some config details, should the help....

--------------------
-- uname -a

Linux desktop 2.4.0-4GB #1 Wed Jan 24 15:55:09 GMT 2001 i686 unknown

--------------------
-- ip setup

linux server has 2 ethernet cards
  eth0 : internal network
  - 192.168.1.10
  eth1 : external network (aka, connection to adsl modem)
  - 192.168.2.10

adsl modem is 192.168.2.1

the various internal machines (laptops) are on 192.168.1.X

--------------------
-- ifconfig -a

linux: # ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:C0:F0:81:85:E4
          inet addr:192.168.1.10  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::c0:f081:85e4/10 Scope:Link
          inet6 addr: fe80::2c0:f0ff:fe81:85e4/10 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth1      Link encap:Ethernet  HWaddr 00:40:95:A1:1F:6D
          inet addr:192.168.2.10  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::40:95a1:1f6d/10 Scope:Link
          inet6 addr: fe80::240:95ff:fea1:1f6d/10 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16080  Metric:1

sit0      Link encap:IPv6-in-IPv4
          NOARP  MTU:1480  Metric:1

--------------------
-- ipchains -L

Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
devchain   all  ------  anywhere             anywhere              n/a
Chain forward (policy ACCEPT):
target     prot opt     source                destination           ports
maschain   all  ------  anywhere             anywhere              n/a
Chain output (policy ACCEPT):
Chain rulchain (1 references):
target     prot opt     source                destination           ports
DENY       udp  ------  anywhere             anywhere              any ->
sunrpc
DENY       icmp ------  anywhere             anywhere              redirect
DENY       udp  ------  anywhere             anywhere              any ->
any
REJECT     tcp  -y--l-  anywhere             anywhere              any ->
any
Chain devchain (1 references):
target     prot opt     source                destination           ports
rulchain   all  ------  anywhere             anywhere              n/a
Chain maschain (1 references):
target     prot opt     source                destination           ports
MASQ       all  ------  anywhere             anywhere              n/a


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list