Firewall Wizards mailing list archives

Re: Help with ipchains rules

From: "G.Brits" <webmaster () carlits co za>
Date: Fri, 26 Jan 2001 09:50:48 +0200

You have understand the difference between the use of -s  and -d .

Firstly you should have the following rules at the to of your script file

$IPCHAINS -P input DENY
$IPCHAINS -A input -p TCP ! -y -j ACCEPT
$IPCHAINS -A input -i lo -j ACCEPT

The first obviously denies incoming packets.The second one allows SYN
requests ans sessions , which is vital to have in your firewall.The third
one it to allow local host sessions, which is going to com in when you have
MASQAD sessions on the firewall.

Iy is allways best to define your eth cards , like eth0 is your public
connection, eth1 is your internal connection.define these by typing

$IPCHAINS -N public
$IPCHAINS -N internal
$IPCHAINS -N icmpchk

The above cretes the chain including the ICMP check you wanted , now tell it
which chain is on which ethernet cards by typing

$IPCHAINS -A input -i eth0 -j public
$IPCHAINS -A input -i eth1 -j clients

once this is done , it becomes easier to manage public connection coming in
, and internal going out to the net.

Use these as a standard public rule set

$IPCHAINS -A public -d x.x.x.x -j DENY # This being your broadcast address
on your public ethernet do deny broadcasts
$IPCHAINS -A public -p TCP ! -y -j ACCEPT # To allow Syn requests
$IPCHAINS -A public -p TCP --source-port ftp-data -j ACCEPT # This to allow
ftp data , which will solve the ftp problem
$IPCHAINS -A public -p TCP -d x.x.x.x 21:21 -j ACCEPT # This is to finish
the ftp connections to the firewall, replace the x.x.x.x with your public
eth address

$IPCHAINS -A public -p UDP -s x.x.x.x/26 53:53  --destination-port
1024:65535 -j ACCEPT # That udp ports that needs to be open on a firewall
$IPCHAINS -A public -p TCP -s your.internal.ip.address  -y -d
your.firewall.ip.address  22:22 -j ACCEPT # This to allow ssh connection
from your internal ip address

Then to come to your question to run WWW , DNS , SSH to this

$IPCHAINS -A public -p TCP -y -d your.public.ip.address 53:53 -j ACCEPT
$IPCHAINS -A public -p UDP -y -b your.public.ip.address 53:53 -j ACCEPT
$IPCHAINS -A public -p TCP -y -d your.public.ip.address 80:80 -j ACCEPT
$IPCHAINS -A public -p TCP -s your.internal.ip.address -y -d
your.public.ip.address 22:22 -j ACCEPT
# The above line is if you only want ssh connections from the inside
$IPCHAINS -A public -p TCP -y -d your.public.ip.address 22:22 -j ACCEPT
# This line is if you want ssh connections from anywhere





Regards

WaRcHiLd


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Help with ipchains rules I'm a Swinger (Jan 25)
- Re: Help with ipchains rules Martin Peikert (Jan 26)
- Re: Help with ipchains rules Marnix Petrarca (Jan 26)
- <Possible follow-ups>
- Re: Help with ipchains rules G.Brits (Jan 26)