Re: [SLUG] ipchains stuff
On Sat, Jun 17, 2000 at 11:50:26PM +1000, Chuck Dale wrote: you might want to 'ipchains -A -s 0/0 -d 0/0 -j DENY -l' at the end of each new define to catch what's left over. ipchains -P chain DENY That only works for inbuilt chains; ipchains -A chain -j DENY -l is better (or without logging `-l'). Anand -- SLUG - Sydney Linux Users Group Mailing List - http://www.slug.org.au To unsubscribe send email to [EMAIL PROTECTED] with unsubscribe in the text
Re: [SLUG] ipchains stuff
as i've spent days mucking around with ipchains and still seem to muck things up. what exactly is it that you're having problems with ? i thought i'd ask a few questions to clarify my ideas on ipchains and how it should best be set up in a particular situation. is the following a good way to think about the ipchains rules? define a new chain name. ipchains -N dmz-bad define the new chain route/direction of packets. ie. if going from ip - from interface - to ip - jumpto dmz-bad. ipchains -A input -s 1.2.3.4 -i eth0 -d 5.6.7.8 -j dmz-bad define the rules for the ports in dmz-bad ipchains -A dmz-bad -p tcp --sport 80 --dport 80 -j ACCEPT does this make sense or is there a hole somewhere? disregarding the default rules of course. that looks right. ipchains has a top-down approach to filtering packets, or atleast ipchains 1.3.5 has. you really have to think about what you want to do from the top, and then to the bottom. you might want to 'ipchains -A -s 0/0 -d 0/0 -j DENY -l' at the end of each new define to catch what's left over. i usually filter out ports first (rather than by ip) in the input chain. starting from general stuff to more complex filtering towards the bottom. -- SLUG - Sydney Linux Users Group Mailing List - http://www.slug.org.au To unsubscribe send email to [EMAIL PROTECTED] with unsubscribe in the text
Re: [SLUG] ipchains stuff
you might want to 'ipchains -A -s 0/0 -d 0/0 -j DENY -l' at the end of each new define to catch what's left over. ipchains -P chain DENY Should stop the rest. Chuck -- SLUG - Sydney Linux Users Group Mailing List - http://www.slug.org.au To unsubscribe send email to [EMAIL PROTECTED] with unsubscribe in the text
[SLUG] ipchains stuff
hi slugs, as i've spent days mucking around with ipchains and still seem to muck things up. i thought i'd ask a few questions to clarify my ideas on ipchains and how it should best be set up in a particular situation. is the following a good way to think about the ipchains rules? define a new chain name. ipchains -N dmz-bad define the new chain route/direction of packets. ie. if going from ip - from interface - to ip - jumpto dmz-bad. ipchains -A input -s 1.2.3.4 -i eth0 -d 5.6.7.8 -j dmz-bad define the rules for the ports in dmz-bad ipchains -A dmz-bad -p tcp --sport 80 --dport 80 -j ACCEPT does this make sense or is there a hole somewhere? disregarding the default rules of course. -- SLUG - Sydney Linux Users Group Mailing List - http://www.slug.org.au To unsubscribe send email to [EMAIL PROTECTED] with unsubscribe in the text