Find the answer to your Linux question:
Results 1 to 2 of 2
We have a firewall running on Slack 7. This was set up by a an admin over 7 years ago and until now, no change has been needed. But, now, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2009
    Location
    Brandon, Manitoba, Canada
    Posts
    1

    ipchains on Slack 7


    We have a firewall running on Slack 7. This was set up by a an admin over 7 years ago and until now, no change has been needed. But, now, we need to provide Remote Desktop Access to a computer on the internal network. The IP is 66.225.136.27 and is in a range that the firewall protects.

    I have tried several solutions on the internet and they do not work. The firewall is using ipchains.

    Here is the output of "cat ipchains.rules "

    :input ACCEPT
    :forward DENY
    :output ACCEPT
    -A input -s 206.45.100.0/255.255.255.0 -d ! 206.45.100.0/255.255.255.0 137:139 -i eth1 -p 17 -j DENY
    -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 137:139 -i eth0 -p 17 -j DENY
    -A input -s 66.225.136.200/255.255.255.255 -d 0.0.0.0/0.0.0.0 514:514 -p 17 -j ACCEPT
    -A input -s 139.142.222.217/255.255.255.255 -d 0.0.0.0/0.0.0.0 514:514 -i eth0 -p 17 -j ACCEPT
    -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 514:514 -p 17 -j DENY
    -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 515:515 -i eth0 -p 6 -j REJECT
    -A input -s 206.45.100.5/255.255.255.255 -d ! 206.45.100.0/255.255.255.0 -i eth1 -j DENY -l
    -A input -s 206.45.100.1/255.255.255.255 -d ! 206.45.100.0/255.255.255.0 -j DENY -l
    -A input -s 206.45.100.2/255.255.255.255 -d ! 206.45.100.0/255.255.255.0 -j DENY -l
    -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 3306:3306 -i eth0 -p 6 -j DENY
    -A forward -s 206.45.100.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ -m 10001
    -A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 137:139 -i eth0 -p 6 -j DENY

    Can anybody help? The port for RDP is 3389 by the way. Slack 7 is on kernel 2.2.19

  2. #2
    Linux Engineer Freston's Avatar
    Join Date
    Mar 2007
    Location
    The Netherlands
    Posts
    1,049
    Welcome to the forums!

    Aw, with the old admin dead and buried, nobody has seen chance to update the firewall for seven years?

    If I where you I would have someone look at it in greater detail than I can ATM, because the virtual landscape has changed over the years and attackers have become more clever (or their tools more advanced in any case).

    But as to your question, I don't see why a simple
    -A forward -i {wan_interface} -s {source_address} -p {protocol} --destination-port {portnumber} -d {destination_address} -j accept
    Wouldn't do the trick?
    Maybe you can log your rule so you know what happens behind the scenes?

    IPCHAINS-HOWTO
    ipchains
    Can't tell an OS by it's GUI

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •