ipchains question

LS.

I'm working on an ipchains firewall on a litlle old Redhat 7.0 server.

After flushing all rules, I start out making standard strategies as
follows:

# ### Standard strategy is DENY ###
ipchains -P input DENY # No answer for invalid incoming
ipchains -P output REJECT # Error for invalid outgoing
ipchains -P forward REJECT # Error for invalid forwarding

Now the book I'm using suggests to put all kinds of rules in the file to
deny access from for example class A, B and C networks.

Why is this? (since the standard strategy is to DENY or REJECT)

imho I can just ACCEPT only those packages I would want and discard the
others, since they would be denied or rejected, am I right?

Tnx in advance for your enlightment...

--
-----=====##### PapaBear #####=====-----
Jesus is alive, I spoke with Him this morning!
----------------------------------------------

Brad Olin, on Fri, 07 May 2004 09:49:31 -0500, in
<a37n90lf0o3dt4v8ncts96uiaqo45buvv7@4ax.com>, said this:

>
> /sbin/iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
> /sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
> /sbin/iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
> /sbin/iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
> /sbin/iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP
> /sbin/iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
> /sbin/iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP
>

I have an old book that explains that these
are private networks:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

But where do I find out information about
the others:
127.0.0.0/8
224.0.0.0/4
240.0.0.0/5

My guess is that the last three are new, but
I want to look at the rfc.

PapaBear wrote:
> LS.
>
> I'm working on an ipchains firewall on a litlle old Redhat 7.0 server.
>
> After flushing all rules, I start out making standard strategies as
> follows:
>
> # ### Standard strategy is DENY ###
> ipchains -P input DENY # No answer for invalid incoming
> ipchains -P output REJECT # Error for invalid outgoing
> ipchains -P forward REJECT # Error for invalid forwarding
>
> Now the book I'm using suggests to put all kinds of rules in the file to
> deny access from for example class A, B and C networks.
>
> Why is this? (since the standard strategy is to DENY or REJECT)
>
> imho I can just ACCEPT only those packages I would want and discard the
> others, since they would be denied or rejected, am I right?

First of all, You should consider switching to iptables rather than
ipchains. - But that's for the records.

Then, You don't tell us anything about the book in question, nor about
the "all kinds of rules" that are suggested.

What You are after is the mechanism called "spoofing", which in essence
fakes the source IP field of Your IP packets.

BTW, I've never seen a REJECT target in an output chain of the filter
table. Great fun!

Anyways, You want to be more specific about Your question.


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

Brad Olin, on Fri, 07 May 2004 18:43:32 -0500, in
<9m6o9017dv3048l8sto9gcpos15srsvkvb@4ax.com>, said this:

> On Fri, 07 May 2004 21:59:34 GMT, Gary Petersen
> <garyp1492@delete.thisearthlink.nospam> wrote:
>
>>Where do I find out information about
>>the other [ private ip address ranges ]:
>
> google searching is a wonderful thing. A good example is found at
> http://www.faqs.org/docs/linux_netwo...addresses.html
> [...]
>
> Brad

Thanks Brad

>
> /sbin/iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
> /sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
> /sbin/iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
> /sbin/iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
> /sbin/iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP
> /sbin/iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
> /sbin/iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP
>

Would you please tell that which part is suitable to place such rules?
What I want to know is:
I added some rules into my scripts to enable services such as HTTP & FTP.
Let me call these rules "Services Section". Should I put the above rules
before or after the Services Section?

Thanks in advance!


~ Let us linux ~


-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

"Fool" <fool@tom.com> said:
>>
>> /sbin/iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
>> /sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
>> /sbin/iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
>> /sbin/iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
>> /sbin/iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP
>> /sbin/iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
>> /sbin/iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP
>>
>
>Would you please tell that which part is suitable to place such rules?
>What I want to know is:
>I added some rules into my scripts to enable services such as HTTP & FTP.
>Let me call these rules "Services Section". Should I put the above rules
>before or after the Services Section?

Well, if your "services section" does "-j ACCEPT", and your services section
is before the above set of rules, then the connection will be accepted, even
in the case when one of the above rules would've dropped it.

So, the above rules should be whereever you do initial sanity checking for
incoming packets - before considering whether or not to provide the requested
service.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Juha, Thanks!!
Brad, Thanks!!


~ Let us linux ~


-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

Op Fri, 7 May 2004 15:36:02 +0200 schreef PapaBear:

> LS.
>
> I'm working on an ipchains firewall on a litlle old Redhat 7.0 server.
>
> After flushing all rules, I start out making standard strategies as
> follows:
>
> # ### Standard strategy is DENY ###
> ipchains -P input DENY # No answer for invalid incoming
> ipchains -P output REJECT # Error for invalid outgoing
> ipchains -P forward REJECT # Error for invalid forwarding
>
> Now the book I'm using suggests to put all kinds of rules in the file to
> deny access from for example class A, B and C networks.
>
> Why is this? (since the standard strategy is to DENY or REJECT)
>
> imho I can just ACCEPT only those packages I would want and discard the
> others, since they would be denied or rejected, am I right?
>
> Tnx in advance for your enlightment...

Well, in the light of all the reactions above: it seems that with the
upcoming of the internet the ability to read properly has diminished.

The question was very, very simple:
Why should I enter rules to deny packets when the default
is set to deny anyway?

Pfff...

Instead of reading my question and trying to answer it, I get al kinds of
yibberish about switching to iptables and lectures about addresses of such
and such class...

One wonders how (if any) work in this world still gets done.

--
-----=====##### PapaBear #####=====-----
Jesus is alive, I spoke with Him this morning!
----------------------------------------------

On Wed, 12 May 2004 19:08:00 +0200, PapaBear wrote:
> Op Fri, 7 May 2004 15:36:02 +0200 schreef PapaBear:
>>
>> After flushing all rules, I start out making standard strategies as
>> follows:
>>
>> # ### Standard strategy is DENY ### ipchains
>> -P input DENY # No answer for invalid incoming ipchains -P
>> output REJECT # Error for invalid outgoing ipchains -P forward
>> REJECT # Error for invalid forwarding
>>
>> Now the book I'm using suggests to put all kinds of rules in the
>> file to deny access from for example class A, B and C networks.
>>
>> Why is this? (since the standard strategy is to DENY or REJECT)
>>
>> imho I can just ACCEPT only those packages I would want and discard
>> the others, since they would be denied or rejected, am I right?
>
> Well, in the light of all the reactions above: it seems that with the
> upcoming of the internet the ability to read properly has diminished.
>
>
> The question was very, very simple: Why should I enter rules to deny
> packets when the default is set to deny anyway?
>
> Pfff...
>
> Instead of reading my question and trying to answer it, I get al
> kinds of yibberish about switching to iptables and lectures about
> addresses of such and such class...

Those people DID answer your question! You just didn't get the
answer you wanted (the answer that would save you some effort),
so you disregarded it.

1: DROP, don't REJECT or DENY. The reasons for this are well
documented. Probably in the book you refered to.

2: It's not sufficient to drop connections after all the "permit"
rules have been passed. Some connections should be dropped BEFORE
they have the chance to get approved by some other rule. It's
more secure, and it saves time & resources.

Connections with spoofed IP sources are NEVER legitimate traffic,
and shouldn't be allowed just because they appear to be normal
traffic, going to a publicly accessible port.

Julia Thorne, on Wed, 12 May 2004 14:57:45 -0500, in
<Zkvoc.4373322$iA2.513727@news.easynews.com>, said this:

> [...]
> Connections with spoofed IP sources are NEVER legitimate traffic,
> and shouldn't be allowed just because they appear to be normal
> traffic, going to a publicly accessible port.

If a packet spoofs an address that doesn't belong to
a private network, is there any way to detect
that it's fake?

PS.
Thanks Brad, your iptables config proved to be very
educational for me.