[ale] Elusive ipchains issue (Long)
Howard Fore
me at hofo.com
Thu Jul 5 15:44:31 EDT 2001
Hi,
I've got a SuSE 7.2 machine with ipchains and a mail server on it at a
local ISP. The mail server has a HTTPS webmail interface running on port
9100. I used the SuSEfirewall script to configure ipchains. From my
home, selected as a trusted network, I can connect to the webmail
interface. From anywhere else, all requests to 9100 go into a black
hole. They don't even show up on the log as denied! The only thing I can
figure is that something is funky in my the chain, but it looks ok to me
(but then again I haven't done this too often). Any ideas? Here's the
dump of the chains (ipchains -L -nv):
And on a related note, what's the format of the "opt" column in this
listing. I can't find that anywhere...
Thanks.
> Chain input (policy DENY: 6621 packets, 883795 bytes):
> pkts bytes target prot opt tosa tosx ifname mark
> outsize source destination ports
> 0 0 ACCEPT all ------ 0xFF 0x00
> lo 0.0.0.0/0
> 0.0.0.0/0 n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 * 208.32.175.148
> 0.0.0.0/0 n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 * 127.0.0.0/8
> 0.0.0.0/0 n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 * 0.0.0.0/0
> 127.0.0.0/8 n/a
> 0 0 ACCEPT icmp ----l- 0xFF
> 0x00 * 208.32.175.0/24
> 0.0.0.0/0 4 -> *
> 1 1500 ACCEPT icmp ----l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 8 -> *
> 0 0 ACCEPT icmp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 0 -> *
> 0 0 ACCEPT icmp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 3 -> *
> 0 0 ACCEPT icmp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 11 -> *
> 0 0 ACCEPT icmp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 12 -> *
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 9100
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 9100
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 9010
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 9010
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 22
> 619 32680 ACCEPT tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 22
> 6 288 ACCEPT tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 143
> 33 1852 ACCEPT tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 143
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 220
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 220
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 993
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 993
> 8 400 ACCEPT tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 25
> 40 9768 ACCEPT tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 25
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 21
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 21
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 20
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 20
> 10 540 ACCEPT tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 80
> 82 14455 ACCEPT tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 80
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 443
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 443
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 548
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 548
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 674
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 674
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 106
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 106
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 109
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 109
> 2 96 ACCEPT tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 110
> 46 2038 ACCEPT tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 110
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 22
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 22
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 143
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 143
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 220
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 220
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 993
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 993
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 993
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 993
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 25
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 25
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 21
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 21
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 20
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 20
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 80
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 80
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 443
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 443
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 548
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 548
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 674
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 674
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 106
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 106
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 109
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 109
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 110
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 110
> 0 0 REJECT tcp -y---- 0xFF
> 0x00 * 0.0.0.0/0
> 0.0.0.0/0 * -> 113
> 0 0 DENY tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 22
> 0 0 DENY tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 22
> 0 0 DENY tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 80
> 0 0 DENY tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 80
> 0 0 DENY tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 389
> 0 0 DENY tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 389
> 0 0 DENY tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 548
> 0 0 DENY tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 548
> 0 0 DENY tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 636
> 0 0 DENY tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 636
> 0 0 DENY tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 674
> 0 0 DENY tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 674
> 0 0 ACCEPT tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 1024:65535
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 1024:65535
> 0 0 ACCEPT tcp !y---- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 600:65535
> 0 0 ACCEPT tcp !y---- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 20
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 9100
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 9010
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 22
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 143
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 220
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 993
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 25
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 20
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 80
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 443
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 548
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 109
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 110
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 22
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 143
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 220
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 993
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 993
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 25
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 20
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 80
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 443
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 548
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 109
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 * 24.4.126.163
> 208.32.175.148 * -> 110
> 0 0 DENY udp ----l- 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 1039
> 6 1304 ACCEPT udp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 208.32.175.148 * -> 1024:65535
> 72 13360 DENY all ------ 0xFF
> 0x00 * 0.0.0.0/0
> 255.255.255.255 n/a
> 0 0 DENY all ------ 0xFF
> 0x00 * 255.255.255.255
> 0.0.0.0/0 n/a
> 357 40540 DENY all ------ 0xFF
> 0x00 * 0.0.0.0/0
> !208.32.175.148 n/a
> 0 0 DENY icmp ----l- 0xFF
> 0x00 * 0.0.0.0/0
> 0.0.0.0/0 4 -> *
> 0 0 DENY icmp ----l- 0xFF
> 0x00 * 0.0.0.0/0
> 0.0.0.0/0 5 -> *
> 0 0 DENY icmp ----l- 0xFF
> 0x00 * 0.0.0.0/0
> 0.0.0.0/0 8 -> *
> 0 0 DENY icmp ----l- 0xFF
> 0x00 * 0.0.0.0/0
> 0.0.0.0/0 11 -> *
> 0 0 DENY tcp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 0.0.0.0/0 * -> 135:139
> 0 0 DENY tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 0.0.0.0/0 * -> *
> 0 0 DENY udp ------ 0xFF
> 0x00 * 0.0.0.0/0
> 0.0.0.0/0 * -> 135:139
> 0 0 DENY udp ----l- 0xFF
> 0x00 * 0.0.0.0/0
> 0.0.0.0/0 * -> *
> 0 0 DENY all ------ 0xFF
> 0x00 * 0.0.0.0/0
> 0.0.0.0/0 n/a
> Chain forward (policy DENY: 0 packets, 0 bytes):
> pkts bytes target prot opt tosa tosx ifname mark
> outsize source destination ports
> 0 0 DENY tcp -y--l- 0xFF
> 0x00 * 0.0.0.0/0
> 0.0.0.0/0 * -> *
> 0 0 DENY all ------ 0xFF
> 0x00 * 0.0.0.0/0
> 0.0.0.0/0 n/a
> Chain output (policy ACCEPT: 168888 packets, 25140917 bytes):
> pkts bytes target prot opt tosa tosx ifname mark
> outsize source destination ports
> 0 0 ACCEPT all ------ 0xFF 0x00
> lo 0.0.0.0/0
> 0.0.0.0/0 n/a
> 0 0 ACCEPT icmp ------ 0xFF
> 0x00 * 208.32.175.148
> 0.0.0.0/0 3 -> 4
> 0 0 ACCEPT icmp ------ 0xFF
> 0x00 * 208.32.175.148
> 0.0.0.0/0 3 -> 13
> 0 0 ACCEPT icmp ------ 0xFF
> 0x00 * 208.32.175.148
> 0.0.0.0/0 3 -> 3
> 0 0 DENY icmp ------ 0xFF
> 0x00 * 208.32.175.148
> 0.0.0.0/0 3 -> *
> 0 0 ACCEPT icmp ------ 0x01
> 0x10 * 0.0.0.0/0
> 0.0.0.0/0 8 -> *
> 1 1500 ACCEPT icmp ------ 0x01
> 0x10 * 0.0.0.0/0
> 0.0.0.0/0 0 -> *
> 0 0 ACCEPT icmp ------ 0x01
> 0x14 * 0.0.0.0/0
> 0.0.0.0/0 * -> *
> 494 141K ACCEPT tcp ------ 0x01
> 0x10 * 0.0.0.0/0
> 0.0.0.0/0 22 -> *
> 0 0 ACCEPT tcp ------ 0x01
> 0x10 * 0.0.0.0/0
> 0.0.0.0/0 * -> 22
> 0 0 ACCEPT tcp ------ 0x01
> 0x08 * 0.0.0.0/0
> 0.0.0.0/0 20 -> *
> 80 54782 ACCEPT tcp ------ 0x01
> 0x08 * 0.0.0.0/0
> 0.0.0.0/0 80 -> *
> 0 0 ACCEPT tcp ------ 0x01
> 0x08 * 0.0.0.0/0
> 0.0.0.0/0 80 -> *
> 0 0 ACCEPT tcp ------ 0x01
> 0x08 * 0.0.0.0/0
> 0.0.0.0/0 * -> 80
> 0 0 ACCEPT udp ------ 0x01
> 0x10 * 0.0.0.0/0
> 0.0.0.0/0 53 -> *
> 6 355 ACCEPT udp ------ 0x01
> 0x10 * 0.0.0.0/0
> 0.0.0.0/0 * -> 53
> 0 0 ACCEPT udp ------ 0x01
> 0x14 * 0.0.0.0/0
> 0.0.0.0/0 * -> 161
> 0 0 ACCEPT udp ------ 0x01
> 0x14 * 0.0.0.0/0
> 0.0.0.0/0 * -> 162
> 0 0 ACCEPT udp ------ 0x01
> 0x14 * 0.0.0.0/0
> 0.0.0.0/0 * -> 514
--
Howard Fore, me at hofo.com
Abraham Lincoln: "The dogmas of the quiet past, are inadequate to the
stormy present. The occasion is piled high with difficulty, and we must
rise with the occasion. As our case is new, so we must think anew, and
act anew."
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list