outsource from india chennai india programmers freelance php coder freelance outsource scripts programming complicated perl patterns php module installation
outsource from india perl installation and configuration php installation linux system administration US$15,US$19,US$11,US$10 cheap programmer
india outsource outsource india chennai india programmers php perl mysql freelance freelance programmer
SHOWCASE of php and perl scripts CONTACT US for php custom perl scripts
HOME
 
Next Previous Contents

8. IP filtering setup (IPCHAINS)

Linux ipchains is a rewrite of the Linux IPv4 firewalling code and a rewrite of ipfwadm, which was a rewrite of BSD's ipfw, I believe. It is required to administer the IP packet filters in Linux kernel versions 2.1.102 and above.

The older code doesn't deal with fragments, has 32-bit counters (on Intel at least), doesn't allow specification of protocols other than TCP, UDP or ICMP, can't make large changes atomically, can't specify inverse rules, has some quirks, and can be tough to manage (making it prone to user error). Or so the author says.

I'm not going to get real deep into how to control an IPChains firewall because there is a GREAT!! HOWTO on it at http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html. I'd just end up duplicating it here. Here are the basics.

You work with chains by name. You start with three built-in chains input, output and forward which you can't delete. You can create chains of your own. Rules can then be added and deleted from these rule sets.

The operations to work on entire chains are;

  1. Create a new chain (-N).
  2. Delete an empty chain (-X).
  3. Change the policy for a built-in chain. (-P).
  4. List the rules in a chain (-L).
  5. Flush the rules out of a chain (-F).
  6. Zero the packet and byte counters on all rules in a chain (-Z).

There are several ways to manipulate rules inside a chain:

  1. Append a new rule to a chain (-A).
  2. Insert a new rule at some position in a chain (-I).
  3. Replace a rule at some position in a chain (-R).
  4. Delete a rule at some position in a chain (-D).
  5. Delete the first rule that matches in a chain (-D).

There are a few operations for masquerading, which are in ipchains for want of a good place to put them:

  1. List the currently masqueraded connections (-M -L).
  2. Set masquerading timeout values (-M -S).

There are some timing issues involved in altering firewall rules. If you are not careful, you can let packets through while you are half-way through your changes. A simplistic approach is to do the following: 

     # ipchains -I input 1 -j DENY
     # ipchains -I output 1 -j DENY
     # ipchains -I forward 1 -j DENY

... make changes ... 

     # ipchains -D input 1
     # ipchains -D output 1
     # ipchains -D forward 1
     #

This drops all packets for the duration of the changes.

Here a duplicate of the above firewall rules in IPChains. 

#!/bin/sh
#
# rc.firewall
#
## Flush everything, start from scratch
  /sbin/ipchains -F input
  /sbin/ipchains -F output
  /sbin/ipchains -F forward

## Redirect for HTTP Transparent Proxy
  #$IPCHAINS  -A input -p tcp -s 192.1.2.0/24 -d 0.0.0.0/0 80 -j REDIRECT 8080

## Create your own chain
  /sbin/ipchains -N my-chain
  # Allow email to got to the server
  /sbin/ipchains -A my-chain -s 0.0.0.0/0 smtp -d 192.1.2.10 1024:-j ACCEPT
  # Allow email connections to outside email servers
  /sbin/ipchains -A my-chain -s 192.1.2.10 -d 0.0.0.0/0 smtp -j ACCEPT  
  # Allow Web connections to your Web Server
  /sbin/ipchains -A my-chain -s 0.0.0.0/0 www -d 192.1.2.11 1024: -j ACCEPT
  # Allow Web connections to outside Web Server
  /sbin/ipchains -A my-chain -s 192.1.2.0/24 1024: -d 0.0.0.0/0 www -j ACCEPT
  # Allow DNS traffic
  /sbin/ipchains -A my-chain -p UDP -s 0.0.0.0/0 dns -d 192.1.2.0/24 -j ACCEPT

## If you are using masquerading
  # don't masq internal-internal traffic
  /sbin/ipchains -A forward -s 192.1.2.0/24 -d 192.1.2.0/24 -j ACCEPT
  # don't masq external interface direct
  /sbin/ipchains -A forward -s 24.94.1.0/24 -d 0.0.0.0/0 -j ACCEPT
  # masquerade all internal IP's going outside
  /sbin/ipchains -A forward -s 192.1.2.0/24 -d 0.0.0.0/0 -j MASQ

## Deny everything else
  /sbin/ipchains -P my-chain input DENY

Don't stop here. This is not a great firewall and I'm sure you have other services you will be providing. Again, read the IPCHAINS-HOWTO.

Next Previous Contents
Linux HOWTO full list
   This document, LDP HOWTO-INDEX, is copyrighted (c) 1995 - 2002 by Tim Bynum, Guylhem Aznar, Joshua Drake and Greg Ferguson. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available at http://www.gnu.org/copyleft/fdl.html. If you have questions, please contact the LDP.
Web Design Copyright © 1999-2003. Chrisranjana Software Solutions Pvt Ltd. syndicate rss feed