Derek,
Thank you very much for your tips. I now realize how difficult making a
secure firewall really is. I stayed up till about 1 am writing ipchain
rules. I had about 94 when i was done. Like you said tho, its still not
really usable as a internet workstation. So Im going to try to find out
how to make iptables my default filtering software. (i.e. remove
ipchains config file and make iptables config file) i will then try the
tedious process of logging blocked services and opening up those that
are needed. time to learn from the iptables man page...
Thanks so much for your time,
Travis
Derek Glidden wrote:
>Travis Walls wrote:
>
>
>>Here is what i would like to do:
>>
>>Deny everything at first.
>>Allow programs that i need to use access to the internet.
>>Allow services to contact the internet that are required by the system.
>>
>
>Unfortunately, doing this with ipchains with the setup you have:
>
>>RedHat 7.1 box filtered using ipchains <-> Road Runner <-> Internet
>>
>
>will be extremely complicated. if not impossible.
>
>ipchains doesn't have the "stateful inspection" capabilities that
>iptables does, so you'll have to explicitly allow *every port* that
>*anything* will ever need to talk out to be allowed out and any ports
>that you want to allow in will have to be explicitly allowed in.
>
>Restricting all incoming traffic is very easy:
>
>ipchains -A INPUT -j DENY
>
>but it's not as simple as that. This will prevent *any* packet from
>*ever* reaching your box from the outside - this rule will let packets
>go out (say, for Web browsing) but the return packets will never get
>back to you. It's a one-way street, which is probably *not* what you
>are looking for.
>
>Since a lot of services bind to random ports above 1024 for
>communicating outbound (for example, your web browser will bind to a
>random high-number port on your end, and send data to port 80 on the
>other end) there is no way to predict what ports you'll have to allow
>back in for any particular session on any particular service, unless you
>simply say "allow all ports over 1024 back in" which is not very secure.
>
>This is one of the things that the IPMASQ module does for you - it keeps
>track of all those outbound connections and allows the return packets
>for those sessions back in even if you're not allowing anything else
>in. Except you can't use IPMASQ in your situation - you need another
>box in between to do the masquerading and tracking of those sessions.
>
>If you use iptables, however, what you want to do is extremely simple:
>
>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>iptables -A INPUT -j DROP
>
>which says "Allow packets that are part of an established session back
>in, but drop everything else."
>
>In either case (ipchains or iptables) if you want to also restrict
>outbound packets, just start with:
>
>iptables -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
>iptables -A OUTPUT -j DROP
>
>or
>
>ipchains -A OUTPUT -l -j DENY
>
>then watch /var/log/messages to see what packets are being dropped, and
>start adding rules that explicitly allow particular types of packets.
>You'll have to know what *destination* port certain types of protocols
>use to be able to do the filtering - you won't be filtering on source
>ports.
>
>So the conclusion here is: you'll have to use iptables if you want to do
>this.
>
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:50:25 EDT