-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-Type: text/plain; charset=us-ascii
In message <1016230298.20826.8.camel@garcon>, Luke Scharf writes: >I have a machine that's running Debian Potato a web server and an >ipmasq. The machine has an "internal" and "external" network card. The >internal network runs on 10.0.0.0/24 and the external network has a >static IP address. > >I've apt-get install'd the ipmasq package and the IPMasq functionality >works great. What I'd like to do now is to use ipchains to do the >following: >1. On the external interface, I would like to only accept traffic from >port 22 and port 80. >2. The internal interface should be wide open - the internal network we >trust the users who are physically in the room not to be malicious. The ipmasq package sets up things pretty open, so all you need to do is lock down the external interface. Just make a copy of the /etc/ipmasq/rules/I90external.def file as I90external.rul and add lines. Here's the netfilter section of my I90external.rul file. As configured it allows ssh, smtp, dns (both tcp and udp) and http traffic. netfilter) $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/32 -m state --state ESTABLISHED,RELATED $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/32 -p tcp --dport 22:22 -m state --state NEW $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/32 -p tcp --dport 25:25 -m state --state NEW $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/32 -p tcp --dport 53:53 -m state --state NEW $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/32 -p udp --dport 53:53 $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/32 -p tcp --dport 80:80 -m state --state NEW if [ -n "$BCOFIF" ]; then $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $BCOFIF/32 -m state --state ESTABLISHED,RELATED fi ;; Since there's no general accept line here, (it used to be that first line, but I changed it to use state) anything that doesn't match falls through and is denied. You may also want to add '-m state --state ESTABLISHED,RELATED' to the ACCEPT line in I90extbcast.def as well, or otherwise you'll end up allowing general broadcast packets. If you want to be excessively paranoid, you'll want a rule that re-assembles any fragments. I have a I85fragments.rul file that does this. Here's the relevant line: $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -f - -- Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] "I have taken all knowledge to be my province." -F. Bacon [EMAIL PROTECTED] "Human kind cannot bear very much reality."-T.S.Eliot [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (OpenBSD) Comment: Exmh version 2.5 07/13/2001 iD8DBQE8koyHoayJfLoDSdIRAv/VAJ9Umn2wZYU11cXmJy1WtZw1D6+hJQCgkFMU w3jTmgWJbG7owU9EXnXY64E= =aAp+ -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
