[ILUG] redhat 7.3 and network q's

From: kevin lyda (kevin at domain ie.suberic.net)
Date: Wed 19 Jun 2002 - 01:09:50 IST

• Next message: Frank Ohaegbu.: "[ILUG] Urgent Reply."
• Previous message: Shane Kennedy: "[ILUG] Re: Touchscreen setup"
• Next in thread: Ronan Waide: "Re: [ILUG] redhat 7.3 and network q's"
• Reply: Ronan Waide: "Re: [ILUG] redhat 7.3 and network q's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

first, the following is how i set up the network security on my 7.3 box.
not sure if this is the best way to do it - particularly in light of
the problems i describe later on. comments?

    ok, so i used redhat's lokkit to do the initial creation of my firewall
    rules and then tweaked it (mainly to add in the masqing rules).
    it's rather simple:

        # lokkit
        (do your firewall settings)
        # ipchains -P forward deny
        # ipchains -A forward -i eth0 -j ACCEPT
        # ipchains -A forward -i eth1 -j MASQ
        # ipchains -A forward -i cipcb0 -j ACCEPT
        # service ipchains save

    and you're all done for firewall settings. the results are saved in
    /etc/sysconfig/ipchains and are brought up and down with the ipchains
    service (see chkconfig or serviceconf).

    the nice part about this is that it reuses pretty much all of the
    setup i had on my old 2.2 box.

problems:

    the downside are the following two issues. the two lines i need to
    get dns to work, and getting masquarading to work with irc.

    i run a dns server on this box. w/o these two lines in
    /etc/sysconfig/ipchains, the dns server fails to work:

        -A input -s 0.0.0.0/0.0.0.0 53:53 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT -y
        -A input -s 0.0.0.0/0.0.0.0 53:53 -d 0.0.0.0/0.0.0.0 -p 17 -j ACCEPT

    don't really like those lines since it seems to kind of kill the rest
    of the rules. is there a way to make them narrower? ah, wait...
    i appended -l to the second rule and discovered responses were always
    going back to port 1025. so now i have these. again, comments?

-A input -s 0.0.0.0/0.0.0.0 53:53 -d 0.0.0.0/0.0.0.0 1025 -p 6 -j ACCEPT -y
-A input -s 0.0.0.0/0.0.0.0 53:53 -d 0.0.0.0/0.0.0.0 1025 -p 17 -j ACCEPT

    second problem is that this all uses ipchains. it doesn't seem
    like the irc tracking s/w works with this (it's needed for dcc).
    iptables works with the ip_conntrack + ip_conntrack_irc modules.
    is there an alternative to lokkit - or an easy way to convert
    ipchains style rules to iptables style rules? or does linux 2.4 +
    ipchains have an equiv irc module that works (ip_nat_irc won't load)?

kevin

-- 
kevin at domain suberic.net     that a believer is happier than a skeptic is no more to
fork()'ed on 37058400   the point than the fact that a drunken man is happier
meatspace place: inle      than a sober one. the happiness of credulity is a
http://suberic.net/~kevin    cheap & dangerous quality -- g.b. shaw

• Next message: Frank Ohaegbu.: "[ILUG] Urgent Reply."
• Previous message: Shane Kennedy: "[ILUG] Re: Touchscreen setup"
• Next in thread: Ronan Waide: "Re: [ILUG] redhat 7.3 and network q's"
• Reply: Ronan Waide: "Re: [ILUG] redhat 7.3 and network q's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:17:20 GMT