Re: Debain Firewalls With Slink

[Graham Lillico +44 1785 782329]

Ok I think I have decided on which packages to install what do you think.

Base system (no profile's or tasks)
exim/smail acting as a mail server
squid for web caching
httpd for internal use only
gcc temporarily for kernel recompile
and ipchains

Can anyone take a look at my ipchains rules an tell me if they are ok, I 
did the rule from the ipchains howto but I not sure if I got them right, I 
have attached them to this email.

Thanks again for everyones help and advice.

Regards

Graham Lillico

#
#!/bin/bash
#
# Deny Everything
#
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
#
# Create ppp-in Chain
#
ipchains -N ppp-in
ipchains -A input -i ppp0 -j ppp-in
ipchains -P ppp-in DENY
#
# Create ppp-out Chain
#
ipchains -N ppp-out
ipchains -A output -i ppp0 -j ppp-out
ipchains -P ppp-out DENY
#
# Flush Previous RuleS
#
ipchains -F input
ipchains -F output
ipchains -F forward
ipchains -F ppp-in
ipchains -F ppp-out
#
# Prevent IP Spoofing
#
ipchains -A ppp-in -s 192.168.0.0/24 -l -j DENY
ipchains -A ppp-in -s 10.0.0.0/24 -l -j DENY
ipchains -A ppp-in -s 127.0.0.0/24 -l -j DENY
#
ipchains -A input -i eth0 -s ! 192.168.2.0/24 -j DENY
ipchains -A input -i ! eth0 -s 192.168.2.0/24 -j DENY
#
# Allow Unlimited Local Network Usage
#
ipchains -A input -i lo -j ACCEPT
ipchains -A input -i eth0 -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -i eth0 -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#
# Allow Local Network Access To Internet Services
#
ipchains -A ppp-in -p tcp ! -y -s 0.0.0.0/0 telnet -i ppp0 -j ACCEPT
ipchains -A ppp-out -p tcp -i ppp0 -d 0.0.0.0/0 telnet -j ACCEPT
#
ipchains -A ppp-in -p tcp ! -y -s 0.0.0.0/0 www -i ppp0 -j ACCEPT
ipchains -A ppp-out -p tcp -i ppp0 -d 0.0.0.0/0 www -j ACCEPT
#
ipchains -A ppp-in -p tcp ! -y -s 0.0.0.0/0 ftp -i ppp0 -j ACCEPT
ipchains -A ppp-out -p tcp -i ppp0 -d 0.0.0.0/0 ftp -j ACCEPT
#
ipchains -A ppp-in -p tcp -s 0.0.0.0/0 ftp-data -i ppp0 -j ACCEPT
ipchains -A ppp-out -p tcp -i ppp0 -d 0.0.0.0/0 ftp-data -j ACCEPT
#
ipchains -A ppp-in -p tcp ! -y -s 0.0.0.0/0 smtp -i ppp0 -j ACCEPT
ipchains -A ppp-out -p tcp -i ppp0 -d 0.0.0.0/0 smtp -j ACCEPT
#
ipchains -A ppp-in -p tcp ! -y -s 0.0.0.0/0 pop3 -i ppp0 -j ACCEPT
ipchains -A ppp-out -p tcp -i ppp0 -d 0.0.0.0/0 pop3 -j ACCEPT
#
ipchains -A ppp-in -p udp -s 0.0.0.0/0 domain -i ppp0 -j ACCEPT
ipchains -A ppp-out -p udp -i ppp0 -d 0.0.0.0/0 domain -j ACCEPT
#
# Deny Access To Specific Hosts/Services
#