Kaazool
04-06-2002, 09:01 PM
I'm having a hard time finding documentation for the ipmasq rules and I've hit an odd snag: My client machine can ssh anywhere while my router/server
cannot.
Anyone have any suggestions? Places I should look for things? The how-to in /usr/share is pretty thin.
And I'm wondering about if I should try to build in my ipchains rules into ipmasq .ruls or not. Or is that stuff already covered? My assumption was that the ipmasq rules were only for protecting the masqueraded machines.
The SSH thing is the wackiest though. An odd addition: I can ssh out from my client (behind my server) to another server, and then ssh BACK into my server. Huh? Here is why ipchains -L -n gives me:
Chain input (policy DENY):
target prot opt source destination ports
ACCEPT udp ------ 0.0.0.0 255.255.255.255 68 -> 67
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
DENY all ----l- 127.0.0.0/8 0.0.0.0/0 n/a
ACCEPT all ------ 0.0.0.0/0 255.255.255.255 n/a
ACCEPT all ------ 192.168.1.0/24 0.0.0.0/0 n/a
ACCEPT !tcp ------ 0.0.0.0/0 224.0.0.0/4 * -> *
DENY all ----l- 192.168.1.0/24 0.0.0.0/0 n/a
ACCEPT tcp ------ 0.0.0.0/0 12.245.xx.xx * -> 21
ACCEPT tcp ------ 0.0.0.0/0 12.245.xx.xx * -> 20
ACCEPT tcp ------ 0.0.0.0/0 12.245.xx.xx * -> 80
ACCEPT tcp ------ 0.0.0.0/0 12.245.xx.xx * -> 443
ACCEPT tcp ------ 0.0.0.0/0 12.245.xx.xx * -> 113
ACCEPT tcp ------ 0.0.0.0/0 12.245.xx.xx * -> 143
ACCEPT tcp ------ 0.0.0.0/0 12.245.xx.xx * -> 110
ACCEPT tcp ------ 0.0.0.0/0 12.245.xx.xx * -> 22
ACCEPT udp ------ 0.0.0.0/0 12.245.xx.xx * -> 22
ACCEPT tcp ------ 0.0.0.0/0 12.245.xx.xx * -> 23
DENY tcp ----l- 0.0.0.0/0 12.245.xx.xx * -> 0:1024
ACCEPT all ------ 0.0.0.0/0 255.255.255.255 n/a
ACCEPT all ------ 0.0.0.0/0 12.245.xx.xx n/a
ACCEPT all ------ 0.0.0.0/0 255.255.255.255 n/a
DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY):
target prot opt source destination ports
MASQ all ------ 192.168.1.0/24 0.0.0.0/0 n/a
DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
Chain output (policy DENY):
target prot opt source destination ports
ACCEPT udp ------ 192.168.1.1 255.255.255.255 67 -> 68
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
ACCEPT all ------ 0.0.0.0/0 255.255.255.255 n/a
ACCEPT all ------ 0.0.0.0/0 192.168.1.0/24 n/a
ACCEPT !tcp ------ 0.0.0.0/0 224.0.0.0/4 * -> *
DENY all ----l- 0.0.0.0/0 192.168.1.0/24 n/a
ACCEPT all ------ 0.0.0.0/0 255.255.255.255 n/a
ACCEPT all ------ 12.245.xx.xx 0.0.0.0/0 n/a
ACCEPT all ------ 255.255.255.255 0.0.0.0/0 n/a
DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
Frankly I'd rather have my box be tighter and then eased out than a honeypot from the get go (of course, tho, since I'm new to this my chains might be completely useless :p).
Thanks,
Kaazool
cannot.
Anyone have any suggestions? Places I should look for things? The how-to in /usr/share is pretty thin.
And I'm wondering about if I should try to build in my ipchains rules into ipmasq .ruls or not. Or is that stuff already covered? My assumption was that the ipmasq rules were only for protecting the masqueraded machines.
The SSH thing is the wackiest though. An odd addition: I can ssh out from my client (behind my server) to another server, and then ssh BACK into my server. Huh? Here is why ipchains -L -n gives me:
Chain input (policy DENY):
target prot opt source destination ports
ACCEPT udp ------ 0.0.0.0 255.255.255.255 68 -> 67
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
DENY all ----l- 127.0.0.0/8 0.0.0.0/0 n/a
ACCEPT all ------ 0.0.0.0/0 255.255.255.255 n/a
ACCEPT all ------ 192.168.1.0/24 0.0.0.0/0 n/a
ACCEPT !tcp ------ 0.0.0.0/0 224.0.0.0/4 * -> *
DENY all ----l- 192.168.1.0/24 0.0.0.0/0 n/a
ACCEPT tcp ------ 0.0.0.0/0 12.245.xx.xx * -> 21
ACCEPT tcp ------ 0.0.0.0/0 12.245.xx.xx * -> 20
ACCEPT tcp ------ 0.0.0.0/0 12.245.xx.xx * -> 80
ACCEPT tcp ------ 0.0.0.0/0 12.245.xx.xx * -> 443
ACCEPT tcp ------ 0.0.0.0/0 12.245.xx.xx * -> 113
ACCEPT tcp ------ 0.0.0.0/0 12.245.xx.xx * -> 143
ACCEPT tcp ------ 0.0.0.0/0 12.245.xx.xx * -> 110
ACCEPT tcp ------ 0.0.0.0/0 12.245.xx.xx * -> 22
ACCEPT udp ------ 0.0.0.0/0 12.245.xx.xx * -> 22
ACCEPT tcp ------ 0.0.0.0/0 12.245.xx.xx * -> 23
DENY tcp ----l- 0.0.0.0/0 12.245.xx.xx * -> 0:1024
ACCEPT all ------ 0.0.0.0/0 255.255.255.255 n/a
ACCEPT all ------ 0.0.0.0/0 12.245.xx.xx n/a
ACCEPT all ------ 0.0.0.0/0 255.255.255.255 n/a
DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY):
target prot opt source destination ports
MASQ all ------ 192.168.1.0/24 0.0.0.0/0 n/a
DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
Chain output (policy DENY):
target prot opt source destination ports
ACCEPT udp ------ 192.168.1.1 255.255.255.255 67 -> 68
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
ACCEPT all ------ 0.0.0.0/0 255.255.255.255 n/a
ACCEPT all ------ 0.0.0.0/0 192.168.1.0/24 n/a
ACCEPT !tcp ------ 0.0.0.0/0 224.0.0.0/4 * -> *
DENY all ----l- 0.0.0.0/0 192.168.1.0/24 n/a
ACCEPT all ------ 0.0.0.0/0 255.255.255.255 n/a
ACCEPT all ------ 12.245.xx.xx 0.0.0.0/0 n/a
ACCEPT all ------ 255.255.255.255 0.0.0.0/0 n/a
DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
Frankly I'd rather have my box be tighter and then eased out than a honeypot from the get go (of course, tho, since I'm new to this my chains might be completely useless :p).
Thanks,
Kaazool