Topic: Makeing ipchains rules permanent

[Jean-Guy]

Hi, I have a little script that I wrote to stop people from using all but certain ports to connect the the internet (like 80, 21 etc) this is to protect my internal network from unknown software making connections to outside world on ports and to stop software like Napster from connecting. the question is how do I make these rules stick? I notice the e-smith server seems to reset itself to defaults every so often where would I put this ipchains file?

Btw I am modifing the forward rules

ipchains -F forward
ipchains -A forward .... do all rules here

Jean-Guy

[Kirrily Robert]

Jean-Guy wrote:
>
> Hi, I have a little script that I wrote to stop people from
> using all but certain ports to connect the the internet (like
> 80, 21 etc) this is to protect my internal network from
> unknown software making connections to outside world on ports
> and to stop software like Napster from connecting. the
> question is how do I make these rules stick? I notice the
> e-smith server seems to reset itself to defaults every so
> often where would I put this ipchains file?

e-smith rebuilds its configuration files from templates every now and then.  You need to create a custom template and put it in /etc/e-smith/templates-custom/ ... more info is available on http://www.e-smith.org/

K.

[Dave D]

Greetings,
I have the exact same problem.  I notice from the General forum that others do also.
Is it possible that you could be a bit more specific, Kirrily please?  It would really help us out.  Or Jean-Guy if you understand how/manage to do it through the template system suggeted by Kirrily could you please post the method?

Very grateful if you could.
Thanks.

[James]

Yes, I am desperate for this too.  Its been explained to me how to write ipchains to block access from the LAN  to destination port 80 on the internet.  It works.  But please I have to know how to make the ipchains changes permanent.  It really is important, as if I can't do it then I can't deploy e-smith and will have to stick with NT.  If anyone knows please post?   Which file does e-smith set up its ipchains statements from, as surely my extra statements could just be added?

TIA

[Peter Hollandare]

I think its the event "cron.daily" that is located in /etc/cron.daily that removes your
rules. This event goes 1time per day.

I solved it temp by making a file in that dir called "fire.rc", where i have all my denied adresses. After you have made this file, make sure its chmod 777, so that the system can execute it.

Sample howto complete deny a adress, (in this case the spam network doubleclick.net). Note ! by enter a # nothing will be read from that line.

#  ad.doubleclick.net - deny entire ip mask
/sbin/ipchains -I input -s 209.67.38.0/24 -j DENY -l

[Jean-Guy]

I figured it out HERE is the STEP by STEP guide, just cut & past to block port 80.

-------------
How to deny outbound access by editing default IPChains rules for e-smith.
All lines beginning with ">" are command lines copy and past these.
This example will block any machines on your LAN from viewing web pages thru port 80
this should force Squid to be used. Also this has no effect on hosting a webpage from
your e-smith box.


Create the new template directories
>mkdir -p /etc/e-smith/templates-custom/etc
>mkdir -p /etc/e-smith/templates-custom/etc/rc.d
>mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d

Copy the existing templetes to the custom area
>cp -rp /etc/e-smith/templates/etc/rc.d/init.d/masq /etc/e-smith/templates-custom/etc/rc.d/init.d/


Now to make any changes you can do the steps below.

change to the custom directory
>cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq

  !!! EDIT YOUR FILE HERE !!! ( Will use 36masqLAN)

>pico 36masqLAN
Add this line
>ipchains -A forward -s 192.168.1.0/24 -p tcp -d 0.0.0.0/0 80 -j DENY
BE SURE TO CHANGE the SOURCE IP ADDRESS RANGE if this doesn't match your config!!!!!
SAVE the file CTRL-X


Expand the templates
>/sbin/e-smith/expand-template /etc/rc.d/init.d/masq

Tell e-smith to update the live config.
>/sbin/e-smith/signal-event remoteaccess-update


  {{{{ View your new changes }}}}
>ipchains -L forward

If you need to make any future changes goto the change to custom
directory part and do steps from there.

Jean-Guy

[Simeon]

Excellent!
Thanks Jean-Guy.
Works brilliantly.
I'm also blocking 81 and 8080 too although I've done it using the input chain not the forward.
Thanks again!

[Dave D]

Well done Jean-Guy.
You've made my day!

I wonder is it possible to modify the ipchains statement so that only a range of source IP addresses are denied?

I'm thinking that I'd like packets to port 80 from 192.168.0.65 to 192.168.0.250 to be denied, not the whole network 192.168.0.1 to 192.168.0.255.

Is it possible?

Thanks again.
Dave.

[Jean-Guy]

yes it's possible because the source address is 192.168.1.0/24 this means match the first 24 bits of the IP address . Each IP address is 4 - 8 bit bumbers. so 24 is the first 3 0-255's.( 24/8 = 3) so 192.168.1.0/24 means all ip's with 192.168.1 and I don't care about the last number. So to answer your question your rule would be
192.168.1.0/26 (take the 2 extra bits from the last number.) this will leave the last 6 bits ignored (or able to pass thru the firewall) Actully this ip range will allow 192.168.1.0 -> 192.168.1.63 (6 bits can make a number from 0 - 63)

For more info on this do a search for a ipchains faq. This IP address masking system is explained in more detail.

Jean-Guy

[Jeff]

I followed most of this except i made a 50DenyUSAFA file and put these in, are they correct in syntax, etc to block all trafic from these ips'

/sbin/ipchains -A input -j DENY -p all -l -s 204.34.211.81 -d 0.0.0.0/0
/sbin/ipchains -A input -j DENY -p all -l -s 128.236.96.83 -d 0.0.0.0/0