IPCHAINS Help

Ben Beeson beesond001 at hawaii.rr.com
Thu Oct 18 00:08:21 PDT 2001 

Dusty,
	
	My replies are interspersed within the text below.



>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 10/17/01, 1:44:33 PM, Dusty <dusty at sandust.com> wrote regarding [luau] 
Re: IPCHAINS Help:


> >NAMESERVER_IP1=`egrep -n nameserver /etc/resolv.conf | grep 2: - |gawk 
-F" " '{print $2}'`
> >echo "NAMESERVER_IP1 is $NAMESERVER_IP1"
> >NAMESERVER_IP2=`egrep -n nameserver /etc/resolv.conf | grep 3: - |gawk 
-F" " '{print $2}'`
> >echo "NAMESERVER_IP2 is $NAMESERVER_IP2"

> This is nice, I like this very much!!!

	Thanks, I had to figure that out from scratch. I'm no guru at scripts, 
but I have seen a few clever ones written by a friend of mine that works 
at a national lab writing BIG software for unix boxes and knew that 
writing a short script was worth a try. I figured it out after going down 
a few blind alleys.  The trick that made it all fall together was to use 
egrep's line number feature to separate the resolv.conf entries. After 
that, everything fell into place.  Somehow I feel satisfied that doing 
what this script snippet does would be nearly impossible on that other OS 
without a big investment in programming software and time.  This script 
only took a short time and one line, I love it!!!  



> >$IPCHAINS -A input -p udp -s $NAMESERVER_IP1 -d $OUTERNET 53 -j ACCEPT
> >$IPCHAINS -A input -p udp -s $NAMESERVER_IP2 -d $OUTERNET 53 -j ACCEPT

> I don’t understand why you have this here.  There should be no reason for 
your ISP’s DNS servers to initiate a connection to your DNS server.  If 
your DNS server is THE DNS server for your own domain name (i.e. Internic 
points lookups for you domain name to your DNS server) then you will need 
to allow all incoming connections to your DNS server on port 53.  If your 
DNS server is only used by clients on your internal network to do lookups, 
so you do not have to rely on your ISPs DNS servers, then you do not need 
to allow these incoming connections from your ISPs DNS servers.


	I put it there to make sure that I could use the ISP DNS.  As you point 
out, I probably don't need this.  I'm still learning about networking and 
firewalls, and the part about the server initiating a connection to me 
escaped me when I wrote this.  I'll fix it.  Thanks again!  


> ># DNS REJECT/DENY rules can go here....
> ># REJECT input udp from everywhere else...
> >$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 53 -j REJECT

> What is $REMOTENET?  I think you should remove “–s $REMOTENET” and 
replace it with “-i $EXTERNAL_INTERFACE”, where $EXTERNAL_INTERFACE is your 
interface directly connected to the internet (i.e. ETH0).  You can leave 
“–s $REMOTENET” if $REMOTENET is “any”.

	For my setup, $REMOTENET is 0/0, and $OUTERNET is my IP/Netmask for the 
external interface. This rule when translated into English reads (I 
think...) something like this, "For the input chain, if a udp packet 
shows up from anywhere destined for my IP/Netmask, on port 53, REJECT 
it."  Your method seems a little clearer and possibly more "surgical" in 
its application.  My method is not quite as eloquent, but I think for 
this purpose, either one should work.  See my next comment. 
         

> ># Now allow outgoing requests...
> >$IPCHAINS -A output -p udp -s $REMOTENET -d $OUTERNET 53 -j ACCEPT

> For this I think you should change “–s $REMOTENET” to “-s 
$INTERNAL_IP_RANGE”, where $INTERNAL_IP_RANGE is the range of IP addresses 
you use on your internal network (i.e. 172.16.1.0/24).  And I would also 
add “-i $INTERNAL_INTERFACE” , where $INTERNAL_INTERFACE is your interface 
directly connected to internal network (i.e. ETH1).  This way you are only 
allowing systems on your internal network to connect to your DNS.


	My aim here is to allow outgoing requests for DNS.  While my method 
works, yours is much more descript, and I like it a lot.  I shall have to 
think about how to implement your idea because I need to pass two types 
of IP addresses. I need to pass the internal network IP addresses and I 
also need to pass the ISP assigned IP address because this firewall is 
running on a workstation that doubles as a masquerade box for one other 
computer. (This will change when I finish my router.) H-m-m maybe I need 
two rules to do this...

	Thanks again for your time and help Dusty.  I appreciate your help as 
well as the insight that you brought to this discussion.  I hope that 
others can benefit from it also.


Ben 



 




> "Linux is for people who hate Windows. BSD is for
> people that love unix."

> ---
> You are currently subscribed to luau as: beesond001 at hawaii.rr.com
> To unsubscribe send a blank email to $subst('Email.Unsub')
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freesoftwarehawaii.org/pipermail/luau-freesoftwarehawaii.org/attachments/20011018/6e3dbfa1/attachment-0001.htm>

More information about the LUAU mailing list