by July 6, 2001 0 comments




The recent explosion of
interest in Linux has brought into sharp focus an amazing model for software development,
commonly referred to as the Open Source model. As major IT corporations, who’re
convinced of the benefits of this model, join the movement, the search for an economic
model to fuel the development model has well and truly begun. Not that true open-source
developers need one.

The Open Source Movement (OSM) is a
development model for computing applications, where developers of these applications
release their code to the computing community, without any restrictive licensing.
Interested members take the development forward rapidly, resulting in high-quality
applications reaching the end-user in a short time and at low cost. The core development
group usually also takes on the responsibility for support, upgrades, and maintenance, via
Internet forums like mailing lists, newsgroups, and relay chat groups. As the number of
development groups adopting this model increases, the simplistic definition given here is
increasingly being argued, stretched, re-interpreted and well, not surprisingly, just
hacked! Even as the GNU Public License, or GPL (for more on this, go to
www.gnu.org)–the original manifesto of the Open Source community–comes under
ever increasing strain, developers chasing such ephemeral desires as gift-giving,
ego-boosts and just plain fun continue to release high-quality code to grateful users.
Most users have begun to prefer their software “gift-wrapped” rather than
“shrink-wrapped”. And no prizes for guessing who’s laughing away from the
bank.

Eric Raymond, the commonly acknowledged
prophet of this movement (the gods clearly are Linus Torvalds with Richard Stallman), and
the maintainer of “fetchmail”, has interpreted Open Source for the masses in a
series of three compelling articles (follow links from www.opensource.org to read these).
The force of his reason in the first–”The Cathedral and the
Bazaar”–prompted Netscape to release the code of their browser to the public.
The second–”Homesteading the Noosphere”–convinced many doubting
Thomases that Open Source made economic sense as well. By the time he finished his
third–”The Magic Cauldron”–he was already preaching to the converted.
The number of different reasons driving users and developers towards Open Source software
is as large as the size of the community. No wonder then that learned articles by
sociologists and economists trying to get a hold on the movement are beginning to read a
bit like /etc/sendmail.cf. Not that anyone’s stopping to read.

The list of Open Source hits is
long–the Linux operating system, GNU compilers and development tools from the Free
Software Foundation, database managers like PostgreSQL and MySQL, Webservers like Apache,
mail manager sendmail, the very promising GUI’s KDE and Gnome, and the highly popular
Web browser Netscape (Mozilla) are all success stories of this development model.
Accompanying these biggies are a host of Open Source wannabes. Gone are the days when you
could scroll down http://freshmeat.net (the open source application index) with two clicks
of the mouse. It’s more like eight or ten, the last time I checked.

Configuring Ipchains
To block all packets from a particular source, issue the following command at the Linux shell prompt:

ipchains —A input —i eth0 —s hackers.com -j DENY

Here —A is to add a rule (to deny any packets from hackers.com) to the input chain. It’s assumed that this Linux box is connected to the Internet over the Ethernet network. So the packets will arrive on the Ethernet card interface named eth0 specified by —i eth0. If you have more than one ethernet card, omitting the -i option will mean all interfaces including non-Ethernet interfaces like the PPP interface for a dial-up Internet connection. All Ethernet interfaces can be included with —i eth+. Next,—s stands for the source of packets, which in this case is hackers.com. You can also use the IP address instead of a domain name. Finally, the —j DENY option instructs Ipchains to deny such packets. When you use DENY, the packets are simply trashed without giving any error message to the source. The source doesn’t know anything about what happened to the incoming request. We can use REJECT in place of DENY to tell the source that a packet has been discarded. The Opposite of DENY and REJECT is ACCEPT. Note that we are not using any port number, which means that access will be denied to all packets from any port.

This was for someone from hackers. com trying to access your network. Now, if you don’t want users in your network to access hackers.com then add a rule to the output chain:

ipchains —A output —i eth0 -d hackers.com -j REJECT

Here —d specifies the destination address.

Now, suppose one of the machines in your network, with IPaddress 192.168.1. 10, has very sensitive data, which is used by people in your private network, but that machine must not be accessed by anyone from theInternet–that is, from outside the range of IP addresses assigned to local network. A rule added to the input chain as below protects 192.168.1.10.

ipchains —A input —s ! 192.168.1.0/255.255.255.0 —d192.168.1.10 —j DENY

The ! (NOT) specifies that if the source of the packets is not between 192.168.1.1 to 192.168.1.254, then access is to be denied.

Telnet and ftp are important, but insecure services. You can block access to these services to users other than in your private network.Suppose the machine 192.168.1.15 on your network provides Telnet and FTP access to others.

ipchains —A input —p tcp —s ! 192.168.1.0/255.255.255.0—d 192.168.1.15 telnet —j REJECT

ipchains —A input —p tcp —s ! 192.168.1.0/255.255.255.0—d 192.168.1.15 ftp —j REJECT

These rules specify that, if the machine sending the request is not between 192.168.1.1 to 192.168.1.254 and if the destination is the Telnet(first command) or FTP port (second command) of the destination (192.168.1.15),then reject the packets. Since Telnet and FTP use TCP protocol, you must specify the protocol with the —p option.

In place of the words telnet and ftp you can specify the portnumbers (23 for Telnet and 21 for FTP). You can look into the /etc/services file for the well-known ports and their names.

Ports below 1024 are used by standard or defined services like HTTP, FTP, Telnet, SMTP etc.; and ports above 1024 are used by non-standard services, for example, by Instant Messengers like ICQ and streaming audio/video like Realaudio and Realvideo. Now, if you don’t want your network users to use non-standard services then you can block access (incoming as well as outgoing)to these ports with:

ipchains -A input —p tcp -s 0/0 ! 0:1024 —j REJECT

ipchains —A output —p tcp —d 0/0 ! 0:1024 —j REJECT

ipchains -A input —p udp -s 0/0 ! 0:1024 —j REJECT

ipchains —A output —p udp -d 0/0 ! 0:1024 —j REJECT

Since we are concerned with blocking the incoming as well as outgoing packets using the non-standard ports, we add rules in both the input and output chains. The services, whether standard or non-standard, use either TCP or UDP protocol. The protocol is specified by the —p option. Next, a source 0/0 and a destination 0/0 is specified where 0/0 means any machine.Finally the port range is specified as :. And our command is about packets NOT(!) falling within the specified range.

When browsing the Internet, you will want to connect to machines on the Internet but would not want to allow them to connect to (as different from accessing) your machines. TCP packets which initialize a connection, have the SYN flag set (to 1) in their header. So, we have to block all the incoming TCP packets, which have this flag set. This is done as follows:

ipchains —A input —i eth1 -p tcp -s !192.168.1.0/255.255.255.0 —y —j REJECT

This will deny connection to all the TCP-based services like Telnet, FTP, HTTP. Substitute eth1 with the name of the external interface (the interface to the Internet). The —y option checks for SYN flag set. For dial-up connections, the external interface would be ppp0.

The following rule can be used by a desktop user using a dial-up connection to deny connections to his machine.

ipchains —A input —i ppp0 -p tcp —s 0/0 —y —jREJECT

The machine acting as your Internet gateway has an (static ordynamic) IP address provided by your ISP. The other machines in your network–whichdo not have an ISP assigned IP–use this machine to connect to the Internet.The gateway transfers the IP packets from the private network to the Internet replacing the source address of each packet with its own IP address. In case of incoming packets from the Internet, it replaces their IP address with the IP address of the destination machine on the private network. This substitution of IP addresses is called IP Masquerading. You can set up IP masquerading using Ipchains by inserting the following rule in the forward chain.

ipchains -A forward -i eth1 -s 192.1.8.1.0/255.255.255.0 —d! 192.168.1.0/255.255.255.0 -j MASQ

Note that here masquerading is done only if the destinationis outside the private network.

If you are using the machine as a HTTP proxy server, then you need to go through the hassle of configuring all the machines with the IPaddress and port of the proxy server. An easy way out is transparent proxying.Using Ipchains, you can redirect all the TCP requests at port 80 (named www) to the port (say port 8000) to which the proxy server is listening to. This is doneusing the REDIRECT option as follows:

ipchains -A input -p tcp -d 0/0 www -j REDIRECT 8000

Closed and Open chains

What we had been working on so far is open chains and we wereDENYing access to specific services. An open output chain is specified as:

ipchains —P output ACCEPT

A closed chain is one in which you deny access to everything.Subsequently you can allow access (using ACCEPT option) to the requiredservices. A closed input chain is specified with the —P (policy) option as:

ipchains —P input DENY

You can also use REJECT in place of DENY.

Testing and debugging

We can list all the rules in all the chains using —Loption. To see the rules defined in a particular chain:

ipchains —n —L output

This displays all the rules for the output chain. If you wantto see machine names instead of their IP addresses, remove the —n option.

We can use the —C option to simulate an actual transactionto test the integrity of the rules defined in Ipchains. To test the examplewhere we were denying access to the machine 192.168.1.10, we send a udp packetfrom a source 202.54.90. 63 (an address outside the range of your privatenetwork) to the machine 192.168.1.10. We must use a source and a destinationport ( for example 8888) This is done as below:

ipchains —C input —i eth0 —p udp —s 202.54.90.63 8888—d 192.168.1.10 8888

You will get a "denied" message, which proves thatthe rule works.

If you use the —l option while adding a rule, before the—A option, then all the packets which match the rule are logged. For example,to log the matching packets for the rule specified in example of IPmasquerading:

ipchains —l -A forward -i eth1 -s 192.168.1.0/255.255.255.0—d ! 192.168.1.0 /255.255.255.0 -j MASQ

You can view the log using:

dmesg | grep "Packet log"

You can delete a rule in a chain using —D option. You caneither specify the number of the rule in the chain. For example, we can deletethe fifth rule in the output chain as:

ipchains —D output 5

This can easily lead to errors. So, a more specific method isto type the entire rule, as when adding a rule, but replacing —A with —D.

To delete all the rules in a chain use the —F option.

ipchains —F <name-of-the-chain>

Here <name-of-the-chain> can be input, output orforward.

Note that after a reboot, all the rules that are entered atthe command prompt are lost. Hence you need to type the rules in a start upscript.

Shekhar Govindarajan

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<