Our Na ve (Web site translator) Example Revisited Let’s again suppose that
Our Na ve Example Revisited Let’s again suppose that we have a network in our organization and that we are using a Linux-based firewall machine to allow our users access to WWW servers on the Internet, but to allow no other traffic to be passed. If our network has a 24-bit network mask (class C) and has an address of 172.16.1.0, we’d use the following ipchains rules: # ipchains -F forward # ipchains -P forward DENY # ipchains -A forward -s 0/0 80 -d 172.16.1.0/24 -p tcp -y -j DENY # ipchains -A forward -s 172.16.1.0/24 -d 0/0 80 -p tcp -b -j ACCEPT The first of the commands flushes all of the rules from the forward rulesets and the second set of commands sets the default policy of the forward ruleset to DENY. Finally, the third and fourth commands do the specific filtering we want. The fourth command allows datagrams to and from web servers on the outside of our network to pass, and the third prevents incoming TCP connections with a source port of 80. If we now wanted to add rules that allowed passive mode only access to FTP servers in the outside network, we’d add these rules: # ipchains -A forward -s 0/0 20 -d 172.16.1.0/24 -p tcp -y -j DENY # ipchains -A forward -s 172.16.1.0/24 -d 0/0 20 -p tcp -b -j ACCEPT # ipchains -A forward -s 0/0 21 -d 172.16.1.0/24 -p tcp -y -j DENY # ipchains -A forward -s 172.16.1.0/24 -d 0/0 21 -p tcp -b -j ACCEPT Listing Our Rules with ipchains To list our rules with ipchains, we use its -L argument. Just as with ipfwadm, there are arguments that control the amount of detail in the output. In its simplest form, ipchains produces output that looks like: # ipchains -L -n Chain input (policy ACCEPT): Chain forward (policy DENY): target prot opt source destination ports DENY tcp -y—-0.0.0.0/0 172.16.1.0/24 80 -> * ACCEPT tcp ——172.16.1.0/24 0.0.0.0/0 * -> 80 ACCEPT tcp ——0.0.0.0/0 172.16.1.0/24 80 -> * ACCEPT tcp ——172.16.1.0/24 0.0.0.0/0 * -> 20 ACCEPT tcp ——0.0.0.0/0 172.16.1.0/24 20 -> * ACCEPT tcp ——172.16.1.0/24 0.0.0.0/0 * -> 21 ACCEPT tcp ——0.0.0.0/0 172.16.1.0/24 21 -> * Chain output (policy ACCEPT): If you don’t supply the name of a chain to list, ipchains will list all rules in all chains. The -n argument in our example tells ipchains not to attempt to convert any address or ports into names. The information presented should be self-explanatory. A verbose form, invoked by the -u option, provides much more detail. Its output adds fields for the datagram and byte counters, Type of Service AND and XOR flags, the interface name, the mark, and the outsize. All rules created with ipchains have datagram and byte counters associated with them. This is how IP Accounting is implemented and will be discussed in detail in Chapter 10. By default these counters are presented in a rounded form using the suffixes K and M to represent units of one thousand and one million, respectively. If the -x argument is supplied, the counters are expanded to their full unrounded form.