Re: [TCLUG:13767] IPCHAINS again...

To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:13767] IPCHAINS again...
From: Ryan Hankins <rhankins@d.umn.edu>
Date: Sun, 20 Feb 2000 15:47:23 -0600
References: <Pine.LNX.4.20.0002201446200.23747-100000@beldaren.yaron.org>
Sender: rqh@d.umn.edu


> Anyone know what I'm doing wrong now?...

TCP connections send packets in two ways, of course, regardless of the
direction from which they are initiated.  What you are doing in this
case is to block packets coming into your machine.  What you really want
to do is to block packets that are in streams where the SYN packets did
not originate from your machine, meaning that another computer initiates
the stream, not your computer.  You can do this using the -y option to
ipchains.

Consider using a rule like this:

ipchains -A input -p tcp -s 0/0 -d 0/0 -j DENY -y -l

Such a rule allows only tcp connections that are started by your
machine, and not ones that are initiated from the outside.  Do not think
that you can write one ipchains rule that will in itself create a
firewall; such a rule will be either quite insecure, or it will (as in
the case you mentioned) be so secure that it will be overly limiting.

I recommend you take a look at the ipchains howto:

http://howto.tucows.com/LDP/HOWTO/IPCHAINS-HOWTO-4.html

Especially look at section 4.1: Specifying TCP SYN Packets Only

-R


--
-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^
Ryan Hankins 
University Of Minnesota, Duluth
-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^

Follow-Ups:
- Re: [TCLUG:13767] IPCHAINS again...
  - From: Nate Carlson <natecars@real-time.com>

References:
- Re: [TCLUG:13767] IPCHAINS again...
  - From: Yaron <jethro@yaron.org>

Prev by Date: Re: [TCLUG:13767] IPCHAINS again...
Next by Date: Re: [TCLUG:13767] IPCHAINS again...
Prev by thread: Re: [TCLUG:13767] IPCHAINS again...
Next by thread: Re: [TCLUG:13767] IPCHAINS again...
Index(es):
- Date
- Thread