Hello Group, I have been running ipchains on a Debian Potato for awhile now. Everythin g seems to be working great. I do however wonder how secure me firewall really is. Being a newbie to linux I have a few questions. I am using a proxy and when I tell me clients not to use the proxy they still can. Should that be happening? Also I want to use the mod ip_masq_icq, ip-masq-ftp etc. Shouldnt I make a rule to DENY all outbound internet traffic make the most of the mod's? Bassically I want a firewall that not only filters incoming but outgoing. I have attached my firewall script. Please look at it and give me your opinion. Any help would be great. --
If Windows is the answer, then I want the problems back! Powered by Debian GNU/Linux. http://www.debian.org
MY_IP=63.207.XXX.XXX echo -n "Enabling Firewall.." #Flush ipchains configuration ipchains -F #IP spoofing protection ipchains -A input -j REJECT -s 127.0.0.0/8 -i ! lo ipchains -A input -j REJECT -s $MY_IP -i ! lo # Block FTP /sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP ftp -p tcp -j REJECT /sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP ftp-data -p tcp -j REJECT # Allow local network in to FTP /sbin/ipchains -I input 1 -s 192.168.1.0/24 -d $MY_IP ftp -p tcp -j ACCEPT /sbin/ipchains -I input 1 -s 192.168.1.0/24 -d $MY_IP ftp-data -p tcp -j ACCEPT # Block Telnet /sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP telnet -p tcp -j REJECT # Allow local network in to telnet /sbin/ipchains -I input 1 -s 192.168.1.0/24 -d $MY_IP telnet -p tcp -j ACCEPT # Block SecureShell /sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP 22 -p tcp -j REJECT # Allow local network in to ssh /sbin/ipchains -I input 1 -s 192.168.1.0/24 -d $MY_IP 22 -p tcp -j ACCEPT # Allow aphro in to ssh /sbin/ipchains -I input 1 -s 209.162.145.0/24 -d $MY_IP 22 -p tcp -j ACCEPT /sbin/ipchains -I input 1 -s 209.102.24.0/24 -d $MY_IP 22 -p tcp -j ACCEPT /sbin/ipchains -I input 1 -s 216.228.68.0/24 -d $MY_IP 22 -p tcp -j ACCEPT # Allow neutec in to ssh /sbin/ipchains -I input 1 -s 63.196.XXX.XXX/24 -d $MY_IP 22 -p tcp -j ACCEPT # Block connections to lpd /sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP printer -p tcp -j REJECT # Allow Connections from local network to printer /sbin/ipchains -I input 1 -s 192.168.1.0/24 -d $MY_IP printer -p tcp -j ACCEPT # Block connections to pop3 /sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP 110 -p tcp -j REJECT # Allow connections from local network to pop3 /sbin/ipchains -I input 1 -s 192.168.1.0/24 -d $MY_IP 110 -p tcp -j ACCEPT # Block connections to Finger Service /sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP 79 -p tcp -j DENY # Block connection to NetBios /sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP 139 -p tcp -j DENY /sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP 139 -p udp -j DENY # Block connection to HTTP /sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP 80 -p tcp -j DENY # Block Ident /sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP 113 -p tcp -j DENY # Block HTTPS /sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP 443 -p tcp -j DENY # Block IMAP /sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP 143 -p tcp -j DENY echo -n "Enabling IP Masqing for 192.168.1.0 Network .." ipchains -P forward DENY ipchains -A forward -j MASQ -s 192.168.1.0/0 -d 0.0.0.0/0 echo "done," echo -n "Turning on IP Forwarding .." echo "1" >/proc/sys/net/ipv4/ip_forward echo "done."
