by July 7, 2001 0 comments



Ipchains is a packet-filtering firewall package. You can find an RPM of Ipchains in RedHat/RPMS in the latest PC Quest RedHat CD. First you have to check whether the Linux kernel supports Ipchains. For this, look for a file named ip_fwchains in /proc/net. If it’s not there, then you will have to recompile your kernel. The KERNEL-HOWTO and IP CHAINS-HOWTO will help you. If the file exists, then you can check whether Ipchains is already installed.

As root, type

rpm —qa | grep ipchains

If you do not get any output then you must install the package from the RedHat/RPMS directory in the CD using the command:

rpm —ivh ipchains*

Why the name Ipchains?
Ipchains is so called because it deals with IP packets at the Network Layer, and the rules defined in it are based on three inbuilt chains called input chain,output chain and forward chain. A rule can be something like “if the source of the packet is Sachin’s machine, then deny access”. Packets arriving at the machine running Ipchains are compared against rules defined in the input chain. If these packets are destined for another machine, they are redirected after being compared against rules in the forward chain. The output chain processes packets going out of the firewall. Apart from these three, you can also have your own user-defined chains. The rules for each chain define access control based on source, destination, port, protocol or other information contained in IP headers.

Configuring Ipchains
To block all packets from a particular source, issue the following command at the Linux shell prompt:

ipchains —A input —i eth0 —s hackers.com -j DENY

Here —A is to add a rule (to deny any packets from hackers.com) to the input chain. It’s assumed that this Linux box is connected to the Internet over the Ethernet network. So the packets will arrive on the Ethernet card interface named eth0 specified by —i eth0. If you have more than one ethernet card, omitting the -i option will mean all interfaces including non-Ethernet interfaces like the PPP interface for a dial-up Internet connection. All Ethernet interfaces can be included with —i eth+. Next,—s stands for the source of packets, which in this case is hackers.com. You can also use the IP address instead of a domain name. Finally, the —j DENY option instructs Ipchains to deny such packets. When you use DENY, the packets are simply trashed without giving any error message to the source. The source doesn’t know anything about what happened to the incoming request. We can use REJECT in place of DENY to tell the source that a packet has been discarded. The Opposite of DENY and REJECT is ACCEPT. Note that we are not using any port number, which means that access will be denied to all packets from any port.

This was for someone from hackers. com trying to access your network. Now, if you don’t want users in your network to access hackers.com then add a rule to the output chain:

ipchains —A output —i eth0 -d hackers.com -j REJECT

Here —d specifies the destination address.

Now, suppose one of the machines in your network, with IPaddress 192.168.1. 10, has very sensitive data, which is used by people in your private network, but that machine must not be accessed by anyone from theInternet–that is, from outside the range of IP addresses assigned to local network. A rule added to the input chain as below protects 192.168.1.10.

ipchains —A input —s ! 192.168.1.0/255.255.255.0 —d192.168.1.10 —j DENY

The ! (NOT) specifies that if the source of the packets is not between 192.168.1.1 to 192.168.1.254, then access is to be denied.

Telnet and ftp are important, but insecure services. You can block access to these services to users other than in your private network.Suppose the machine 192.168.1.15 on your network provides Telnet and FTP access to others.

ipchains —A input —p tcp —s ! 192.168.1.0/255.255.255.0—d 192.168.1.15 telnet —j REJECT

ipchains —A input —p tcp —s ! 192.168.1.0/255.255.255.0—d 192.168.1.15 ftp —j REJECT

These rules specify that, if the machine sending the request is not between 192.168.1.1 to 192.168.1.254 and if the destination is the Telnet(first command) or FTP port (second command) of the destination (192.168.1.15),then reject the packets. Since Telnet and FTP use TCP protocol, you must specify the protocol with the —p option.

In place of the words telnet and ftp you can specify the portnumbers (23 for Telnet and 21 for FTP). You can look into the /etc/services file for the well-known ports and their names.

Ports below 1024 are used by standard or defined services like HTTP, FTP, Telnet, SMTP etc.; and ports above 1024 are used by non-standard services, for example, by Instant Messengers like ICQ and streaming audio/video like Realaudio and Realvideo. Now, if you don’t want your network users to use non-standard services then you can block access (incoming as well as outgoing)to these ports with:

ipchains -A input —p tcp -s 0/0 ! 0:1024 —j REJECT

ipchains —A output —p tcp —d 0/0 ! 0:1024 —j REJECT

ipchains -A input —p udp -s 0/0 ! 0:1024 —j REJECT

ipchains —A output —p udp -d 0/0 ! 0:1024 —j REJECT

Since we are concerned with blocking the incoming as well as outgoing packets using the non-standard ports, we add rules in both the input and output chains. The services, whether standard or non-standard, use either TCP or UDP protocol. The protocol is specified by the —p option. Next, a source 0/0 and a destination 0/0 is specified where 0/0 means any machine.Finally the port range is specified as :. And our command is about packets NOT(!) falling within the specified range.

When browsing the Internet, you will want to connect to machines on the Internet but would not want to allow them to connect to (as different from accessing) your machines. TCP packets which initialize a connection, have the SYN flag set (to 1) in their header. So, we have to block all the incoming TCP packets, which have this flag set. This is done as follows:

ipchains —A input —i eth1 -p tcp -s !192.168.1.0/255.255.255.0 —y —j REJECT

This will deny connection to all the TCP-based services like Telnet, FTP, HTTP. Substitute eth1 with the name of the external interface (the interface to the Internet). The —y option checks for SYN flag set. For dial-up connections, the external interface would be ppp0.

The following rule can be used by a desktop user using a dial-up connection to deny connections to his machine.

ipchains —A input —i ppp0 -p tcp —s 0/0 —y —jREJECT

The machine acting as your Internet gateway has an (static ordynamic) IP address provided by your ISP. The other machines in your network–whichdo not have an ISP assigned IP–use this machine to connect to the Internet.The gateway transfers the IP packets from the private network to the Internet replacing the source address of each packet with its own IP address. In case of incoming packets from the Internet, it replaces their IP address with the IP address of the destination machine on the private network. This substitution of IP addresses is called IP Masquerading. You can set up IP masquerading using Ipchains by inserting the following rule in the forward chain.

ipchains -A forward -i eth1 -s 192.1.8.1.0/255.255.255.0 —d! 192.168.1.0/255.255.255.0 -j MASQ

Note that here masquerading is done only if the destinationis outside the private network.

If you are using the machine as a HTTP proxy server, then you need to go through the hassle of configuring all the machines with the IPaddress and port of the proxy server. An easy way out is transparent proxying.Using Ipchains, you can redirect all the TCP requests at port 80 (named www) to the port (say port 8000) to which the proxy server is listening to. This is doneusing the REDIRECT option as follows:

ipchains -A input -p tcp -d 0/0 www -j REDIRECT 8000

Closed and Open chains

What we had been working on so far is open chains and we wereDENYing access to specific services. An open output chain is specified as:

ipchains —P output ACCEPT

A closed chain is one in which you deny access to everything.Subsequently you can allow access (using ACCEPT option) to the requiredservices. A closed input chain is specified with the —P (policy) option as:

ipchains —P input DENY

You can also use REJECT in place of DENY.

Testing and debugging

We can list all the rules in all the chains using —Loption. To see the rules defined in a particular chain:

ipchains —n —L output

This displays all the rules for the output chain. If you wantto see machine names instead of their IP addresses, remove the —n option.

We can use the —C option to simulate an actual transactionto test the integrity of the rules defined in Ipchains. To test the examplewhere we were denying access to the machine 192.168.1.10, we send a udp packetfrom a source 202.54.90. 63 (an address outside the range of your privatenetwork) to the machine 192.168.1.10. We must use a source and a destinationport ( for example 8888) This is done as below:

ipchains —C input —i eth0 —p udp —s 202.54.90.63 8888—d 192.168.1.10 8888

You will get a "denied" message, which proves thatthe rule works.

If you use the —l option while adding a rule, before the—A option, then all the packets which match the rule are logged. For example,to log the matching packets for the rule specified in example of IPmasquerading:

ipchains —l -A forward -i eth1 -s 192.168.1.0/255.255.255.0—d ! 192.168.1.0 /255.255.255.0 -j MASQ

You can view the log using:

dmesg | grep "Packet log"

You can delete a rule in a chain using —D option. You caneither specify the number of the rule in the chain. For example, we can deletethe fifth rule in the output chain as:

ipchains —D output 5

This can easily lead to errors. So, a more specific method isto type the entire rule, as when adding a rule, but replacing —A with —D.

To delete all the rules in a chain use the —F option.

ipchains —F <name-of-the-chain>

Here <name-of-the-chain> can be input, output orforward.

Note that after a reboot, all the rules that are entered atthe command prompt are lost. Hence you need to type the rules in a start upscript.

Shekhar Govindarajan

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.