l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 7: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2001 Dec 30 17:03

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] firewall (ipchains)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] firewall (ipchains)


  • Subject: Re: [vox-tech] firewall (ipchains)
  • From: jdnewmil@dcn.davis.cMAPSa.us
  • Date: Wed, 25 Apr 2001 16:30:32 -0700
  • References: Pine.GSO.4.33.0104251440450.26894-100000@logan.ucdavis.edu

I tried to write this before, but it seems to have nver made it past my
send command... probably operator error...

You might need to use lowercase "tcp"

Here is an extract from my rules:

let me out

  ipchains -A output -j ACCEPT -i $IFX -p tcp -s $IPXCP -d 0/0 22

let return packets back in

  ipchains -A input -j ACCEPT -i $IFX -p tcp ! -y -s 0/0 22 -d $IPXCP

let someone connect to my server

  ipchains -A input -j ACCEPT -i $IFX -p tcp -s 0/0 $CP -d $IPX 22

let my server respond

  ipchains -A output -j ACCEPT -i $IFX -p tcp -s $IPX 22


where

  IPX=external ip number
  IFX=external interface (eth1)
  CP="1024:65534"               #  Clients use these Ports.
  IPXCP="$IPX $CP"              #  IP Ext. Client Ports

Other notes: I put a deny-and-log rule at the end of my chains so I can
see attempted violations of my rules.

You might also consider a packaged firewall, such as Seattle or rcf.
(http://leaf.sourceforge.net/links.php?op=viewlink&cid=3)

On Wed, 25 Apr 2001, Gabriel Rosa wrote:

> hey all,
> 
> i recently built a debian box and i'm giving it my first attempt at
> ipchains.
> 
> I read the HOWTO and found it to be fairly non-practical. It's more of
> an ipchains manual, not really a howto. Anyway, I have a basic script that's
> giving me a bit of trouble.
> 
> I start out with DENY on input, output and forward, and the accept rules on
> input are giving me some problems.
> 
> anyway, here it is
> 
> ------ cut here -----
> #!/bin/sh
> 
> # reset everything
> /sbin/ipchains -F
> 
> # deny outside
> /sbin/ipchains -P input DENY
> /sbin/ipchains -P forward DENY
> 
> # outcoming is ok
> /sbin/ipchains -P output ACCEPT
> 
> # taken from the ipchains howto
> # MASQ timeouts
> #
> #   2 hrs timeout for TCP session timeouts
> #  10 sec timeout for traffic after the TCP/IP "FIN" packet is received
> #  160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
> #
> /sbin/ipchains -M -S 7200 10 160
> 
> # enable ip masq
> /sbin/ipchains -A forward -i eth1 -s 10.10.10.0/24 -j MASQ
> 
> # set up incoming
> 
> # allow ssh in
> /sbin/ipchains -A input -i eth1 -p TCP -s 0/0 -d 0/0 ssh -j ACCEPT
> /sbin/ipchains -A input -i eth1 -p UDP -s 0/0 -d 0/0 ssh -j ACCEPT
> 
> # allow ftp
> /sbin/ipchains -A input -i eth1 -p TCP -s 0/0 -d 0/0 ftp -j ACCEPT
> /sbin/ipchains -A input -i eth1 -p TCP -s 0/0 -d 0/0 ftp-data -j ACCEPT
> 
> # allow domain
> /sbin/ipchains -A input -i eth1 -p TCP -s 0/0 -d 0/0 domain -j ACCEPT
> /sbin/ipchains -A input -i eth1 -p UDP -s 0/0 -d 0/0 domain -j ACCEPT
> 
> # web
> /sbin/ipchains -A input -i eth1 -p TCP -s 0/0 -d 0/0 www -j ACCEPT
> /sbin/ipchains -A input -i eth1 -p UDP -s 0/0 -d 0/0 www -j ACCEPT
> 
> # cvs
> /sbin/ipchains -A input -i eth1 -p TCP -s 0/0 -d 0/0 cvspserver -j ACCEPT
> 
> # icmp is ok
> /sbin/ipchains -A input -i eth1 -p ICMP -j ACCEPT
> 
> # internal is good, open up
> /sbin/ipchains -A input -i eth0 -p TCP -j ACCEPT
> /sbin/ipchains -A input -i eth0 -p UDP -j ACCEPT
> /sbin/ipchains -A input -i eth0 -p ICMP -j ACCEPT
> 
> --- cut here ----
> 
> my internal nic is eth0, and the external one is eth1.
> With these rules, no packets go in or out?
> 
> What am I missing?
> 
> thanks
> -Gabe
> 

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
Work:<JeffN@endecon.com>              Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.