Firewall Wizards mailing list archives
Re: Help with ipchains rules
From: "G.Brits" <webmaster () carlits co za>
Date: Fri, 26 Jan 2001 09:50:48 +0200
You have understand the difference between the use of -s and -d . Firstly you should have the following rules at the to of your script file $IPCHAINS -P input DENY $IPCHAINS -A input -p TCP ! -y -j ACCEPT $IPCHAINS -A input -i lo -j ACCEPT The first obviously denies incoming packets.The second one allows SYN requests ans sessions , which is vital to have in your firewall.The third one it to allow local host sessions, which is going to com in when you have MASQAD sessions on the firewall. Iy is allways best to define your eth cards , like eth0 is your public connection, eth1 is your internal connection.define these by typing $IPCHAINS -N public $IPCHAINS -N internal $IPCHAINS -N icmpchk The above cretes the chain including the ICMP check you wanted , now tell it which chain is on which ethernet cards by typing $IPCHAINS -A input -i eth0 -j public $IPCHAINS -A input -i eth1 -j clients once this is done , it becomes easier to manage public connection coming in , and internal going out to the net. Use these as a standard public rule set $IPCHAINS -A public -d x.x.x.x -j DENY # This being your broadcast address on your public ethernet do deny broadcasts $IPCHAINS -A public -p TCP ! -y -j ACCEPT # To allow Syn requests $IPCHAINS -A public -p TCP --source-port ftp-data -j ACCEPT # This to allow ftp data , which will solve the ftp problem $IPCHAINS -A public -p TCP -d x.x.x.x 21:21 -j ACCEPT # This is to finish the ftp connections to the firewall, replace the x.x.x.x with your public eth address $IPCHAINS -A public -p UDP -s x.x.x.x/26 53:53 --destination-port 1024:65535 -j ACCEPT # That udp ports that needs to be open on a firewall $IPCHAINS -A public -p TCP -s your.internal.ip.address -y -d your.firewall.ip.address 22:22 -j ACCEPT # This to allow ssh connection from your internal ip address Then to come to your question to run WWW , DNS , SSH to this $IPCHAINS -A public -p TCP -y -d your.public.ip.address 53:53 -j ACCEPT $IPCHAINS -A public -p UDP -y -b your.public.ip.address 53:53 -j ACCEPT $IPCHAINS -A public -p TCP -y -d your.public.ip.address 80:80 -j ACCEPT $IPCHAINS -A public -p TCP -s your.internal.ip.address -y -d your.public.ip.address 22:22 -j ACCEPT # The above line is if you only want ssh connections from the inside $IPCHAINS -A public -p TCP -y -d your.public.ip.address 22:22 -j ACCEPT # This line is if you want ssh connections from anywhere Regards WaRcHiLd _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Help with ipchains rules I'm a Swinger (Jan 25)
- Re: Help with ipchains rules Martin Peikert (Jan 26)
- Re: Help with ipchains rules Marnix Petrarca (Jan 26)
- <Possible follow-ups>
- Re: Help with ipchains rules G.Brits (Jan 26)