[NCLUG] ipchains/ipmasq
davet at frii.com
davet at frii.com
Wed Mar 14 19:56:23 MST 2001
I read this list a lot but don't post much, but anyway I have a question
I just haven't been able to understand, so I'm query the vast knowledge
of the ncluger's... :)
I have ppp setup to auto dial on demand, I have a home network and have
ipmasquerading enabled. That all works fine and dandy. Now, I'm playing
with more of the firewalling (in anticipation of a potential cable modem
access in the area ) and I suspect the the ppp link is partially the
culprit here. Given the following from my rc.local file:
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0/0
# Block Windows "whohas" traffic to prevent spurious dialling...
/sbin/ipchains -A forward -j DENY -p tcp -s 0.0.0.0/0 137:139
/sbin/ipchains -A forward -j DENY -p udp -s 0.0.0.0/0 137:139
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
#
#
NAI_SERVER="156.152.128.43"
LAN_1="192.168.1.0/24"
ipchains -A input -i ppp+ -p udp -s $NAI_SERVER 500 -d $LAN_1 500 -j ACCEPT
ipchains -A output -i ppp+ -p udp -s $LAN_1 500 -d $NAI_SERVER 500 -j ACCEPT
#ipchains -A input -p udp -s $NAI_SERVER 500 -d $LAN_1 500 -j ACCEPT
#ipchains -A output -p udp -s $LAN_1 500 -d $NAI_SERVER 500 -j ACCEPT
ipchains -A input -p 50 -s $NAI_SERVER -d $LAN_1 -j ACCEPT
ipchains -A output -p 50 -s $LAN_1 -d $NAI_SERVER -j ACCEPT
Given just this configuration everything works as expected. Now, I
downloaded the current version of isinglass (v1.22) then added a line to
rc.local (at then end) - assuming that it would help beef up the
firewall. After running isinglass I no longer can network from the home
network systems to the outside world and I see these messages in syslog:
Mar 14 18:25:09 grogg kernel: Packet log: inp DENY ppp0 PROTO=17 216.17.128.2:53
216.17.133.10:1024 L=141 S=0x00 I=59843 F=0x0000 T=62 (#7)
The IP address in the above message is from ppp. If I understand things
right, normally, the request from my home network is masquerades as the
ppp address and in this case it's getting denied. Why? Do I need to
unload my entire setup the reload after establishing the connection?
That seems like a lot of extra work.
Any Ideas, or thoughts of encouragement?
--
Dave Treece
email: davet at frii.com
http://www.frii.com/~davet
More information about the NCLUG
mailing list