Discussion:
Gentoo Linux Security Guide
Conny R. Landstedt
2002-06-24 01:50:45 UTC
Permalink
To Kim Nielsen & Gentoo-dev

In the "Gentoo Linux Security Guide"
Code listing 64: /etc/init.d/firewall
#Incoming traffic
einfo "Creating incoming ssh traffic chain"
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
$IPTABLES -A allow-ssh-traffic-in -p tcp --sport ssh -j ACCEPT
I'm not absolutely certain, but shouldn't it be "--dport" instead of
"--sport"?

Reg. Conny
Kim Nielsen
2002-06-24 05:51:31 UTC
Permalink
Post by Conny R. Landstedt
To Kim Nielsen & Gentoo-dev
In the "Gentoo Linux Security Guide"
Code listing 64: /etc/init.d/firewall
#Incoming traffic
einfo "Creating incoming ssh traffic chain"
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
$IPTABLES -A allow-ssh-traffic-in -p tcp --sport ssh -j ACCEPT
I'm not absolutely certain, but shouldn't it be "--dport" instead of
"--sport"?
No .. since --sport would be the client port and not the actual port of
the service

example:

You create a http request to gentoo.org and this is what happens

1. get ip for gentoo.org (64.57.168.198)
2. allocate a client port
3. send request from <ip>:<port> (Source) to 64.57.168.198:80
(Destination)

The http server on gentoo.org says:
1. I got a request on port 80
2. send request back to <ip>:<port>

And if the firewall is install it checks the allowed chains if anyone is
allowed to send packets to port 80 (The servers port 80, destination
port) ..

if you where to use sport instead of dport you would only allow the
packet if the user sends from client port 80 which is very unlikely
since ports below 1024 is privileged ports

/Kim
Kim Nielsen
2002-06-24 17:52:01 UTC
Permalink
Post by Kim Nielsen
No .. since --sport would be the client port and not the actual port of
the service
You create a http request to gentoo.org and this is what happens
1. get ip for gentoo.org (64.57.168.198)
2. allocate a client port
3. send request from <ip>:<port> (Source) to 64.57.168.198:80
(Destination)
1. I got a request on port 80
2. send request back to <ip>:<port>
And if the firewall is install it checks the allowed chains if anyone is
allowed to send packets to port 80 (The servers port 80, destination
port) ..
[SNIP]
Post by Kim Nielsen
if you where to use sport instead of dport you would only allow the
packet if the user sends from client port 80 which is very unlikely
since ports below 1024 is privileged ports
I'm sorry ..you are right .. I misunderstood your last mail it will be
corrected as soon as possible

/Kim
Miguel S. Filipe
2002-06-25 01:24:39 UTC
Permalink
Post by Conny R. Landstedt
To Kim Nielsen & Gentoo-dev
In the "Gentoo Linux Security Guide"
Code listing 64: /etc/init.d/firewall
#Incoming traffic
einfo "Creating incoming ssh traffic chain"
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
$IPTABLES -A allow-ssh-traffic-in -p tcp --sport ssh -j ACCEPT
I'm not absolutely certain, but shouldn't it be "--dport" instead of
"--sport"?
Reg. Conny
_______________________________________________
gentoo-dev mailing list
http://lists.gentoo.org/mailman/listinfo/gentoo-dev
I believe that the line is for ssh-traffic in.. wich means.. that you
connect to a server in the internet to the ssh port..
and the rule makes it "allowable" for you to recieve the traffic that
comes from the server..
(otherwise you wouldn't be able to use the session because you would
drop everything that comes from the server to you)

But that's shouldn't be needed it one uses a statefull firewall like
iptables...
In my "home made" firewall.. I have this:
# Accept established connections and related ones
$IPT -A NET -m state --state ESTABLISHED,RELATED -j ACCEPT
where NET represents every INPUT from the internet (network device wich
goes to the net)
so..since I accept outgoing connections to ssh(it's also in the
firewall), whenever I iniciate a ssh connection to the outside it
becomes accepted.

I'm not shure that the "allow-ssh-traffic-in" is what i've just said,
it's a guess since I don't know/use that firewall, but if it is, I
believe that something like accepting the outgoing connection & using
that " --state ESTABLISHED,RELATED" would make the rule set cleaner
and easyer to manage...

«just my two euro cents»

And by the way, anyone was able to get dcc send and receive working with
masquerading with iptables?

Miguel Sousa Filipe
Gentoo user since November 2001 ;-)

p.s.: if anyone want's to see my rule set it's in:

URL: http://mega.ist.utl.pt/~mmsf/configs/rc.icewall
Alexander Gretencord
2002-06-25 15:15:44 UTC
Permalink
Post by Miguel S. Filipe
And by the way, anyone was able to get dcc send and receive working with
masquerading with iptables?
DCC Receive is no problem at all, because of the way DCC works (Someone offers
you a DCC send and sends you his IP an a port which _you_ connect to. The
offer goes through normal irc traffic so it comes through and the rest should
succeed unless your firewall blocks traffic to any ip on the port that the
dcc offer included.

If you want to send a dcc offer yourself this will of course not succeed as
you firewall will not let traffic through to the port from your dcc offer but
that's what the masquerrading modules is for (it's in the official kernel
tree for some time now). All you have to do, is insert that module before you
connect to the irc server (or compile it into your kernel).

Alex
--
"They that can give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety."
Benjamin Franklin
Loading...