Re: Help with ipchains rules

[Marnix Petrarca <Marnix () DaemonLabs com>]

Hi,

take a (good) look at the home-networking how-to. It's not the Fortress
kind of ruleset, but it will get you up and running.
Basically the suggested ruleset says Deny all, but forward all local
packets and masq them. That way you will not have these problems (I
hope). You can load additional modules (ICQ, FTP, etc) via
/sbin/modprobe ip_masq_icq and so on. After adjusting, run
sysctlconfig-gtk and under the options >Networking>ICMP>ICMP2 you can
adjust ICMP-response to your likings. Try marking all three options,
reboot and ping yourself again. You may like what you find. Dont't
forget setting yor nameserver to the user nobody and group nobody -
default it's named.

For stronger rulesets, look at the IP-masquerading how-to. That will put
you on track.

Good luck and oh, use Nmap (www.insecure.org/nmap) for scanning, if you
didn't have it already.

Redgards,

Marnix
DaemonLabs.com, The Netherlands













I'm a Swinger wrote:
> Hello, I am running a Redhat 7.0 server (by itself, there are no computers
> behind it) running DNS (to host my domain names for WWW), WWW, and SSH.  The
> only open ports (judging by a nessus report) were 22, 53, 80, and 443 (I'd
> like to shutdown 443, but that's not a question for this particular list).
> A friend gave me his ipchains ruleset to use, but when its running I can not
> ftp or lynx out of the machine (it's also supposed to drop all ping
> requests, but it does not).  It (ftp or lynx) just hangs.  So I started
> reading up on ipchains so that I could implement my own ruleset.  Judging by
> the HOWTO (and the simple example given), I really only have to worry about
> allowing incoming to 22, 53, and 80.  There were some issues with the ftp
> (needing a port <1024), but I think if I run passive mode I can ignore them.
> Now disregarding ip-spoofing and forwarding, I'm guessing that this is what
> I would include in my ipchains (This is most likely wrong, which is why I'm
> writing this letter):
>
> ~~
> #(I'm substituting 123.123.123.123 for my real ip)
> #I allow UDP/TCP packets in for DNS, TCP for WWW, and TCP for SSH
> ipchains -A -p UDP -s 123.123.123.123 dns -j ACCEPT
> ipchains -A -p tcp -s 123.123.123.123 dns -j ACCEPT
> ipchains -A -p tcp -s 123.123.123.123 www -j ACCEPT
> ipchains -A -p tcp -s 123.123.123.123 ssh -j ACCEPT
>
> #Local-to-local packets are OK:
> ipchains -A -i lo -j ACCEPT
>
> #Now, my default policy on the input chain is DENY, so everything else gets
> dropped:
> ipchains -P input DENY
> ~~
>
> Now this seems far to simple to me to be what I need.  Can anyone help
> explain to me what I need to allow to simply run DNS, WWW, and SSH?  I want
> to allow access to those, and block everything else.  The only thing else I
> have to do is occasional use of lynx (I could probably do without that
> actually) and ftp (I need to access updates.redhat.com, etc.).
> Any help with this matter (along with a cc to my address
> imaswinger () hotmail com because I may not be on the mailing list just yet - I
> don't know how long it takes) would be extremely appreciated.
>
> Curtis
>
> PS - I apologize for the longwindedness of this letter (and it's postscript
> :-), I just wanted to give as much info as possible.
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards