Re: [vox-tech] firewall (ipchains)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [vox-tech] firewall (ipchains)
- Subject: Re: [vox-tech] firewall (ipchains)
- From: jdnewmil@dcn.davis.cMAPSa.us
- Date: Wed, 25 Apr 2001 16:30:32 -0700
- References: Pine.GSO.4.33.0104251440450.26894-100000@logan.ucdavis.edu
I tried to write this before, but it seems to have nver made it past my
send command... probably operator error...
You might need to use lowercase "tcp"
Here is an extract from my rules:
let me out
ipchains -A output -j ACCEPT -i $IFX -p tcp -s $IPXCP -d 0/0 22
let return packets back in
ipchains -A input -j ACCEPT -i $IFX -p tcp ! -y -s 0/0 22 -d $IPXCP
let someone connect to my server
ipchains -A input -j ACCEPT -i $IFX -p tcp -s 0/0 $CP -d $IPX 22
let my server respond
ipchains -A output -j ACCEPT -i $IFX -p tcp -s $IPX 22
where
IPX=external ip number
IFX=external interface (eth1)
CP="1024:65534" # Clients use these Ports.
IPXCP="$IPX $CP" # IP Ext. Client Ports
Other notes: I put a deny-and-log rule at the end of my chains so I can
see attempted violations of my rules.
You might also consider a packaged firewall, such as Seattle or rcf.
(http://leaf.sourceforge.net/links.php?op=viewlink&cid=3)
On Wed, 25 Apr 2001, Gabriel Rosa wrote:
> hey all,
>
> i recently built a debian box and i'm giving it my first attempt at
> ipchains.
>
> I read the HOWTO and found it to be fairly non-practical. It's more of
> an ipchains manual, not really a howto. Anyway, I have a basic script that's
> giving me a bit of trouble.
>
> I start out with DENY on input, output and forward, and the accept rules on
> input are giving me some problems.
>
> anyway, here it is
>
> ------ cut here -----
> #!/bin/sh
>
> # reset everything
> /sbin/ipchains -F
>
> # deny outside
> /sbin/ipchains -P input DENY
> /sbin/ipchains -P forward DENY
>
> # outcoming is ok
> /sbin/ipchains -P output ACCEPT
>
> # taken from the ipchains howto
> # MASQ timeouts
> #
> # 2 hrs timeout for TCP session timeouts
> # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
> # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
> #
> /sbin/ipchains -M -S 7200 10 160
>
> # enable ip masq
> /sbin/ipchains -A forward -i eth1 -s 10.10.10.0/24 -j MASQ
>
> # set up incoming
>
> # allow ssh in
> /sbin/ipchains -A input -i eth1 -p TCP -s 0/0 -d 0/0 ssh -j ACCEPT
> /sbin/ipchains -A input -i eth1 -p UDP -s 0/0 -d 0/0 ssh -j ACCEPT
>
> # allow ftp
> /sbin/ipchains -A input -i eth1 -p TCP -s 0/0 -d 0/0 ftp -j ACCEPT
> /sbin/ipchains -A input -i eth1 -p TCP -s 0/0 -d 0/0 ftp-data -j ACCEPT
>
> # allow domain
> /sbin/ipchains -A input -i eth1 -p TCP -s 0/0 -d 0/0 domain -j ACCEPT
> /sbin/ipchains -A input -i eth1 -p UDP -s 0/0 -d 0/0 domain -j ACCEPT
>
> # web
> /sbin/ipchains -A input -i eth1 -p TCP -s 0/0 -d 0/0 www -j ACCEPT
> /sbin/ipchains -A input -i eth1 -p UDP -s 0/0 -d 0/0 www -j ACCEPT
>
> # cvs
> /sbin/ipchains -A input -i eth1 -p TCP -s 0/0 -d 0/0 cvspserver -j ACCEPT
>
> # icmp is ok
> /sbin/ipchains -A input -i eth1 -p ICMP -j ACCEPT
>
> # internal is good, open up
> /sbin/ipchains -A input -i eth0 -p TCP -j ACCEPT
> /sbin/ipchains -A input -i eth0 -p UDP -j ACCEPT
> /sbin/ipchains -A input -i eth0 -p ICMP -j ACCEPT
>
> --- cut here ----
>
> my internal nic is eth0, and the external one is eth1.
> With these rules, no packets go in or out?
>
> What am I missing?
>
> thanks
> -Gabe
>
---------------------------------------------------------------------------
Jeff Newmiller The ..... ..... Go Live...
DCN:<jdnewmil@dcn.davis.ca.us> Basics: ##.#. ##.#. Live Go...
Work:<JeffN@endecon.com> Live: OO#.. Dead: OO#.. Playing
Research Engineer (Solar/Batteries O.O#. #.O#. with
/Software/Embedded Controllers) .OO#. .OO#. rocks...2k
---------------------------------------------------------------------------
|
