ipchains

[active]

Hi everybody.
Below is my ipchains rules which i use for my gateway machine
My set follows as given below

Eth1 = External ip (ex:88.88.88.8 Internet interface
Eth0 = Internal Ip (192.168.5.1) Lan interface
The internal subnet is 192.168.5.0/24

Here is my updated rules.As you can see i have placed the smtp related rules above

# allow traffic originating internally
ipchains -A output -j ACCEPT -s 88.88.88.88/32 -d 0/0 -p tcp -i eth1

ipchain rule for blocking smtp works fine and successfully block all outgoing smtp port25.
Purpose half served, but not able to unblock from these two ip's which is essentially to send out mails

To your info i am not fully proficient with ipchains and do the needfull by being specific

Please pin point at what i am going wrong to ublock smtp port for those two ips
Thanking you all in advance

tnx


#!/bin/sh

# Flush Rules
ipchains -F forward
ipchains -F output
ipchains -F input

# Set default to deny all
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward DENY

#ICMP REDIRECT PROTECTION
#possible alteration of routing tables if left open
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
/bin/echo "0" > ${interface}
done

#IP_SPOOFING PROTECTION
#assymettirc routed packets will fail
#who cares anyways
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done

# Enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# FTP masq
#/sbin/modprobe ip_masq_ftp


# Add Rules
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT

# prevent spoofed packets from outside
ipchains -A input -s 192.168.5.0/24 -i eth1 -j DENY -l
ipchains -A input -s 127.0.0.0/8 -i ! lo -j DENY -l

# DENY DNS from outside
ipchains -A input -j DENY -l -s 0/0 -d 88.88.88.88 53:53 -p udp -i eth1

#SMTP Blocked except a few IP's
ipchains -A output -j ACCEPT -p tcp --dport 25 -d 192.168.5.51
ipchains -A output -j ACCEPT -p tcp --dport 25 -d 192.168.5.52
ipchains -A output -j DENY -p tcp --dport 25
# first add list of blocked addresses from file
for bad_addr in `cat /root/firewall/blacklist | awk '{ print $2 }'`; do
ipchains -A input -j DENY -l -s $bad_addr -d 88.88.88.88/32 -p all -i eth1
ipchains -A input -j DENY -l -s 192.168.5.0/24 -d $bad_addr -p all -i eth0
done

# Ping
# we need to ping outside
ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 -p icmp --icmp-type echo-reply -i eth1
ipchains -A output -j ACCEPT -d 0/0 -p icmp --icmp-type echo-request -i eth1

# but outside cannot ping us )
ipchains -A input -j DENY -s 0/0 -d 88.88.88.88/32 -p icmp --icmp-type echo-request -i eth1
ipchains -A output -j DENY -d 0/0 -p icmp --icmp-type echo-reply -i eth1

# allow ping from internal network
ipchains -A output -j ACCEPT -s 0/0 -d 192.168.5.0/24 -p icmp -i eth0
ipchains -A input -j ACCEPT -s 192.168.5.0/24 -d 0/0 -p icmp -i eth0

# VOIP
# Allow udp to ciscoata UDP ports 69, 5060,5061,5062 10000-10800
# dont know the server from which traffic originates.
# That stupid idiot at the VOIP provider doesn't know himself. @&&#o1e
ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 -p udp -i eth0

#ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 69:69 -p udp -i eth0
#ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 5060:5062 -p udp -i eth0
#ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 10000:11500 -p udp -i eth0
ipchains -A output -j ACCEPT -p udp -i eth0

ipchains -A input -j ACCEPT -s 0/0 -p udp -i eth1
#ipchains -A input -j ACCEPT -s 0/0 69:69 -p udp -i eth1
#ipchains -A input -j ACCEPT -s 0/0 5060:5062 -p udp -i eth1
#ipchains -A input -j ACCEPT -s 0/0 10000:11500 -p udp -i eth1
ipchains -A output -j ACCEPT -p udp -i eth1

# Accept all but port 21 to 23 to and from internal net
# matrix genesis and neo allows all
# Im the ******* sysadmin.
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.3 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.50 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.51 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.150 -d 0/0 21:23 -i eth0
#ipchains -A input -j ACCEPT -p tcp -s 192.168.5.10 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.15 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.9 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.25 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -s 192.168.5.0/24 -d 0/0 -i eth0
ipchains -A output -j ACCEPT -s 0/0 -d 192.168.5.0/24 -i eth0


# allow traffic originating internally
ipchains -A output -j ACCEPT -s 88.88.88.88/32 -d 0/0 -p tcp -i eth1
ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 -p tcp ! -y -i eth1
# DNS
ipchains -A output -j ACCEPT -s 88.88.88.88/32 -d 0/0 53:53 -p udp -i eth1
ipchains -A input -j ACCEPT -s 0/0 53:53 -d 88.88.88.88/32 -p udp -i eth1

# Forward /Masq internal network
for host_addr in `cat /root/firewall/hostlist`; do
ipchains -A forward -j MASQ -s $host_addr -d 0.0.0.0/0
done

ipchains -A forward -s 192.168.5.0/24 -d 0.0.0.0/0 -j MASQ

ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 80:80 -p tcp -i eth1
ipchains -A output -j ACCEPT -s 88.88.88.88/32 80:80 -d 0/0 -p tcp ! -y -i eth1

ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 110:110 -p tcp -i eth1
ipchains -A output -j ACCEPT -s 88.88.88.88/32 110:110 -d 0/0 -p tcp ! -y -i eth1

[Lazydog]

Question, why are you using ipchains and not iptables?
Ipchains is old school.