[ILUG] IPCHAINS - Whats wrong ?

Declan Grady Declan.Grady at nuvotem.com
Fri Sep 8 11:22:50 IST 2000 

Hi,
Finally, my firewall will dial on demand from the w98 machines that have
it's IP address as the "gateway", but wont do DNS lookups.
It rejects them with a line :

Packet Log: good-bad REJECT ppp0 PROTO=17 192.168.0.100:1173
194.125.2.241:53 L=79 S=0x00 I=534 F=0x0000 T=127 (#4)

 From my basic understanding, this is rejecting the packet which is using the
ppp0 adapter,
source being my client machine 192.168.0.100,
destination being IOL's nameserver 194.125.2.241, on port 53
(.....the rest of the stuff I have no idea)

The relevant sections of my ipchains script is below

I assume it is as simple as Accepting packets for a specific port number on
the 2 IOL DNS servers at 194.125.2.240 and 194.125.2.241 ?

Also... This begs the question ... should I run a caching nameserver on the
linux box as well, bearing in mind I only want it as a barrier between the
lan and the big bad world outside.


My IPCHAINS rules....


# LAN to outside world
ipchains -A forward -s 192.168.0.0/24 -i ppp0 -j good-bad -l

# ICMP Logic
ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT

# Allow LAN to outside world for www, ftp, ping, domain
# and reject, and log all others
# 08-09-00 - Try domain from static 192.168.0.100 both tcp and udp ?
# (Extracted from IPCHIANS-HOWTO)

ipchains -A good-bad -p tcp ! -y -s 192.168.0.100 domain -j ACCEPT
ipchians -A good-bad -p udp -s 192.168.0.100 domain -j ACCEPT

ipchains -A good-bad -p tcp --dport www -j MASQ
ipchains -A good-bad -p tcp --dport ftp -j MASQ
ipchains -A good-bad -p icmp --icmp-type ping -j MASQ
ipchains -A good-bad -j REJECT -l


***************************************************************
The contents of this Email and any files transmitted with it
are confidential and intended solely for the use of the
individual or entity to whom it is addressed. The views stated
herein do not necessarily represent the view of the company.
If you are not the intended recipient of this Email you may not
copy, forward, disclose or otherwise use it or any part of it
in any form whatsoever. If you have received this mail in
error please Email the sender.
***************************************************************

More information about the ILUG mailing list