On Tue, Mar 28, 2000 at 11:25:39AM -0800, Simon Martin wrote: > I started off with the following > > echo 0 > /proc/sys/net/ipv4/ip_forward > > iphains -P input REJECT > ipchains -A input -j ACCEPT -s localhost > ipchains -A input -j ACCEPT -s localnet/24 > > ipchains -P forward REJECT > ipchains -A forward -j MASQ -s localnet/24 > > ipchains -P output ACCEPT
I'd set the default policies to DENY instead of REJECT. DENY drops the packet with no other action. REJECT is more polite and tells the other end the connection isn't allowed. I'm not sure your firewall needs to be polite. Try something like this (untested, but hacked from a working config) # ipchains stuff before bringing up interfaces # flush rules and set default to DENY, must explicitly enable services ipchains -F input ipchains -P input DENY ipchains -F forward ipchains -P forward DENY # block private addresses from default route ipchains -A input -j DENY -i ppp0 -s 10.0.0.0/8 ipchains -A input -j DENY -i ppp0 -s 172.16.0.0/12 ipchains -A input -j DENY -i ppp0 -s 192.168.0.0/16 # allow incoming dns connections ipchains -A input -j ACCEPT -i ppp0 -s $NAMESERVER1/32 53 -p tcp ipchains -A input -j ACCEPT -i ppp0 -s $NAMESERVER1/32 53 -p udp # allow ssh in both directions ipchains -A input -j ACCEPT --dport ssh -p tcp ipchains -A input -j ACCEPT --dport ssh -p udp # accept responses from internet ipchains -A input -j ACCEPT -i ppp0 -p tcp ! -y # masquerade internal net out to internet ipchains -A forward -j MASQ -s localnet/24 # turn on ip forwarding echo "1" > /proc/sys/net/ipv4/ip_forward > > What I expected was "input will accept anything from my local net, forward > will masquerade everything from my localnet, output will send anything". > > Unfortunately this did not work. The configuration I have now is: > > echo 1 > /proc/sys/net/ipv4/ip_forward > > iphains -P input REJECT > ipchains -A input -j ACCEPT -s localhost > ipchains -A input -j ACCEPT -s localnet/24 > ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d localnet/24 www -p tcp > ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d localnet/24 ftp -p tcp > ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d localnet/24 ftp-data -p tcp > ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d localnet/24 domain -p udp > ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d localnet/24 smtp -p tcp > ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d localnet/24 pop-3 -p tcp > > ipchains -P forward REJECT > ipchains -A forward -j MASQ -s localnet/24 > ipchains -A forward -j MASQ -d localnet/24 > > ipchains -P output ACCEPT > > This now works, but I find it very permissive. Anyone connecting from socket > 80 on a remote machine can connect to my telnet port!!! > > I have 2 main questions: > > 1) What am I doing wrong? > 2) I am about to update my kernel to linux-2.3.99-pre3 for other reasons. > What will security be like on this? > > TIA > > > __ _ Debian GNU User > / /(_)_ __ _ ___ __ Simon Martin > / / | | '_ \| | | \ \/ / Project Manager > / /__| | | | | |_| |> < Isys > \____/_|_| |_|\__,_/_/\_\ mailto: [EMAIL PROTECTED] > > There is a chasm of carbon and silicon the software cannot bridge > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Lee Bradshaw [EMAIL PROTECTED] (preferred) Alantro Communications [EMAIL PROTECTED]
