Firewall Wizards mailing list archives
Help with ipchains rules
From: "I'm a Swinger" <imaswinger () hotmail com>
Date: Fri, 26 Jan 2001 00:44:25
Hello, I am running a Redhat 7.0 server (by itself, there are no computers behind it) running DNS (to host my domain names for WWW), WWW, and SSH. The only open ports (judging by a nessus report) were 22, 53, 80, and 443 (I'd like to shutdown 443, but that's not a question for this particular list). A friend gave me his ipchains ruleset to use, but when its running I can not ftp or lynx out of the machine (it's also supposed to drop all ping requests, but it does not). It (ftp or lynx) just hangs. So I started reading up on ipchains so that I could implement my own ruleset. Judging by the HOWTO (and the simple example given), I really only have to worry about allowing incoming to 22, 53, and 80. There were some issues with the ftp (needing a port <1024), but I think if I run passive mode I can ignore them. Now disregarding ip-spoofing and forwarding, I'm guessing that this is what I would include in my ipchains (This is most likely wrong, which is why I'm writing this letter):
~~ #(I'm substituting 123.123.123.123 for my real ip) #I allow UDP/TCP packets in for DNS, TCP for WWW, and TCP for SSH ipchains -A -p UDP -s 123.123.123.123 dns -j ACCEPT ipchains -A -p tcp -s 123.123.123.123 dns -j ACCEPT ipchains -A -p tcp -s 123.123.123.123 www -j ACCEPT ipchains -A -p tcp -s 123.123.123.123 ssh -j ACCEPT #Local-to-local packets are OK: ipchains -A -i lo -j ACCEPT#Now, my default policy on the input chain is DENY, so everything else gets dropped:
ipchains -P input DENY ~~Now this seems far to simple to me to be what I need. Can anyone help explain to me what I need to allow to simply run DNS, WWW, and SSH? I want to allow access to those, and block everything else. The only thing else I have to do is occasional use of lynx (I could probably do without that actually) and ftp (I need to access updates.redhat.com, etc.). Any help with this matter (along with a cc to my address imaswinger () hotmail com because I may not be on the mailing list just yet - I don't know how long it takes) would be extremely appreciated.
CurtisPS - I apologize for the longwindedness of this letter (and it's postscript :-), I just wanted to give as much info as possible.
_________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Help with ipchains rules I'm a Swinger (Jan 25)
- Re: Help with ipchains rules Martin Peikert (Jan 26)
- Re: Help with ipchains rules Marnix Petrarca (Jan 26)
- <Possible follow-ups>
- Re: Help with ipchains rules G.Brits (Jan 26)