Welcome

Practical Use of IPCHAINS

Presented by
- Andy Stewart and Doug Waud Worcester Linux Users' Group May 16, 2001

Doug has presented the simple case
Time for more details
How to let specific services through the firewall

Refresher

Three protocol types
- TCP - connection based
- UDP - connectionless
- ICMP - used by ping

Each network packet header contains at least:

Type of communication (TCP, UDP, ICMP)
Source address and port
Destination address and port
Flags (SYN and ACK) for TCP packets

Single Machine Network

Multiple Machine Network

There are 3 chains:
- Input - what is allowed into this network interface (protects you from the Internet)
- Forward - packets to forward
- Output - what is allowed out of this network interface (protects the Internet from you(!) or your users)

Default policy:

Accept - let it through the firewall
Deny - drop it on the floor quietly
Reject - drop it on the floor and notify originator

Chain Rules

For each chain, rules are checked one by one in order!
Action is taken if packet matches a rule (accept, reject, deny)
If packet matches none of the rules, default policy for that chain is used.

IPCHAINS syntax

ipchains -A chain :append rule to chain (input, output, forward) -F : flush chain rules -L : list rules -s : source address [port] -d : destination address [port] -y : SYN flag (! -y is not SYN flag) -p : protocol (TCP, UDP, ICMP) -i : interface (eth0) -j : what to do (ACCEPT, DENY, REJECT, MASQ) -l : log

Simple Example

$ANYWHERE="any/0" $IPADDR="my.own.ip.address" $UNPRIVPORTS="1024:65535"
ipchains -A input \ -i eth0 \ -p tcp \ ! -y \ -s $ANYWHERE 80 \ -d $IPADDR $UNPRIVPORTS \ -j ACCEPT

Rules are typically are written in pairs
- incoming and outgoing
Log mischievious activity
Log all denials while debugging
Only allow services that are needed

Things to do

Your firewall script needs to:
- Setup frequently used symbols
- Rerun itself if DHCP changes your IP address
- Flush old rules and set default policy for each chain
- Accept packets on loopback interface
- Allow home network to access firewall
- Masquerade internal traffic to external interface

Things to do, cont.

More things to do:
- Refuse packets from problem sites
- Ignore blatantly illegal addresses (incoming and outgoing)
- Allow necessary services one at a time

Gory Details

Examine Andy's firewall script in detail
Get an example from Bob Ziegler's website: http://www.linux-firewall-tools.com/ftp/firewall/rc.firewall.ipchains

Stay on top of security updates
Run port scans against yourself
Check your system logs
Firewall is the sacrificial lamb