Jump to content

IPCHAINS

Sapphiron

By Sapphiron
in Networking

 Share

Recommended Posts

Sapphiron New Here

Sapphiron

Posted
Posted

I want to access a web server at my office from the internet.

I have a linux firewall/gateway that is connected to a router that is connected the the modem.

I have to use ipchains to configure the firewall.

the web server uses port 8080.

 

What do I have to add to my firewall script to get this to work

Link to comment
Share on other sites
Sapphiron New Here

Sapphiron

Posted
  • Author
Posted
First off, Ipchains is very outdated now, most people would advise you to use an netfilter iptables based firewall. I think ipchains  was aimed at the pre 2.4 kernels though it make work with 2.4 also.

Found an old ipchains howto here: http://www.linuxplanet.com/linuxplanet/tutorials/2100/3/

 

I know it's old, but the current script file is 500 lines. I do not want to rewrite it in another program.

Link to comment
Share on other sites
streeter Awesome

streeter

Posted
Posted (edited)

500 lines??? This must be a complex network...

 

I have never used ipchains, but can probably work it out for you from the howtos (the principle of firewalling is similar whatever you are using).

 

How is the network set up? e.g. presumeably you using a single public IP address and NAT, is the firewall on a different PC to the web server?, what are the IP addresses? IUs the router set up to forward port 8080 to the target machine?

 

If you already have any servers running, for example POP or SMTP, you can probably simply copy the relevent line and substitute the port numbers/ip addresses.

 

Also, where did your script come from - presumeably you didn't write it yourself...

 

Actually, on second thoughts, perhaps it is not a good idea you editing this script without thoroughly learning ipchains - if this is your (important) office script, it's not a good idea to publish it here, and without it we won't know where to put the commands...

 

Chris

Edited by streeter
Link to comment
Share on other sites
Guest anon

Guest anon

Posted
Posted

With all due respect to streeter, the iptables based firewall is now the standard across all Linux/Unix distro's. At some point (the sooner the better) you will have to start using it.

Link to comment
Share on other sites
streeter Awesome

streeter

Posted
Posted

I agree completely - my note about the 500 line script tells me the script is perhaps overly complex.

 

Why is ipchains still in use at this site? Perhaps an old kernel? Perhaps Sapphiron has no choice - company policy?

 

Bottom line is (IMHO) that Sapphiron needs to learn firewalling if he/she is/has been put in charge of maintaining it, and may find it better to start afresh, perhaps with iptables/shorewall?

 

After all, if you alter the firewall, you are responsible for security, therefore you should know what you are doing...

 

Chris

Link to comment
Share on other sites
Sapphiron New Here

Sapphiron

Posted
  • Author
Posted
I agree completely - my note about the 500 line script tells me the script is perhaps overly complex.

 

Why is ipchains still in use at this site? Perhaps an old kernel? Perhaps Sapphiron has no choice - company policy?

 

Bottom line is (IMHO) that Sapphiron needs to learn firewalling if he/she is/has been put in charge of maintaining it, and may find it better to start afresh, perhaps with iptables/shorewall?

 

After all, if you alter the firewall, you are responsible for security, therefore you should know what you are doing...

 

Chris

 

Streeter is right. I am new to this company. They used to outsource their it networking. I'm just here investigate some possibilities. The gateway machine is running red hat 7, so I think iptables could work. At the moment I need to get access to our web server(runs a internal web-based application) from the internet.

 

I understand the concepts of firewalls, but I have no experiece with linux firewalls. I think my problem is that the port forwarding I am using, is not configured right, or the firewall might be blocking the the incoming request on the port I want.

 

I'm Attaching a file with a segment of the script (Don't worry It does not contain my public ip)

script_segment.rtf

Link to comment
Share on other sites
streeter Awesome

streeter

Posted
Posted

As I said, I have never used ipchains, and it isn't worth learning it fully, but if I were doing this with iptables, I would get the router to forward requests on port 8080 to the webserver and set the FW up to simply forward these requests as-is. It would look like this:

iptables -A FORWARD -p tcp --dport 8080 -d 192.168.1.1 -j ACCEPT

the IP address should be your web server.

 

Looks like forwarding in ipchains is identical to me:

ipchains -A forward -p tcp --dport 8080 -d 192.168.1.1 -j ACCEPT

I would probably stick it just above the "Deny SMTP forwarding" line.

 

Unlike iptables, I think ipchains runs packets through the input filter before forwarding packets, so you may need to allow this first, probably with: 

ipchains -A input -p tcp --dport 8080 -d 192.168.1.1 -j ACCEPT

 

If you always connect to the server from the same IP address, you could increase security by adding -s xxx.xxx.xxx.xxx (your address) to both the above.

 

IP forwarding is already enabled in your script and the default policy is to deny, so you don't need to worry about that.

 

I am assuming you are actually requesting port 8080, i.e http://xxx.xxx.xxx.xxx:8080

 

May work, assuming the router is forwarding properly, and has a gateway set up in its routing table to the webserver machine.

 

Simply allows any request to 8080 - no further checks.

This may not be the best way anyway - the script may set up other (user defined) chains where the rules ought to be, for instance.

 

Take back part of what I said about 500 lines - looks like most of it is comments... Is this a 'standard' Red Hat script? Perhaps there is a 'front end' to it.

 

A bit vague, I am afraid, but may give you something to be going on with :)

 

Chris

Link to comment
Share on other sites
Gowator Platinum

Gowator

Posted
Posted (edited)

RTFM and I mean that in the best possible way....

As you say you know IT so the manuals should be OK.... at least written in a language you understand.

 

shorewall is nicely documented and if anon recommends rc it must be cool too.

Id suggest reading the docs to see what comes closest to what you want from the box and we are of course here for further questions....

 

Im sure either or even just using Webmin and the firewall option ... but IPTABLES is one of those things where there is no substitute for the manual.... (believe me Im lazy and I tried) ... but you need to at least understand the basic directives to make sense of it all and then it magically fits into place.

Edited by Gowator
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...