ipchains

- = k o l i s k o = - Mon, 19 Feb 2001 10:04:57 -0600

Hi.

My network situation:



192.168.1.0/24                 192.168.1.1                194.24.227.236
Sistel company LAN  --------- (eth0)   linux firewall  (ppp0)  ------------
internet

my ipchains configuration:

---------------- cat begin -------------------

# Vycisteni ipchains

ipchains -F
ipchains -X

# vytvoreni SISTEL--INTERNET

ipchains -N s--i

# vse co prochazi ze SISTEL do INTERNETu

ipchains -A forward -s 192.168.1.0/24 -i ppp0 -j s--i
ipchains -A forward -j DENY -l

ipchains -A s--i -s 192.168.1.20 -j DENY
ipchains -A s--i -s 192.168.1.21 -j DENY
ipchains -A s--i -p tcp --dport www -j MASQ
ipchains -A s--i -p tcp --dport pop3 -j MASQ
ipchains -A s--i -p tcp --dport ftp -j MASQ
ipchains -A s--i -p tcp --dport domain -j MASQ
ipchains -A s--i -p udp --dport domain -j MASQ
ipchains -A s--i -p icmp --icmp-type ping -j MASQ
ipchains -A s--i -p udp --dport 33434:33500 -j MASQ
ipchains -A s--i -j DENY

# definice ICMP-ACCEPT

ipchains -N icmp-acc

ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT

# vytvoreni SYSTEL-INTERFACE, INTERNET-INTERFACE

ipchains -N s-if
ipchains -N i-if

# pravidla pro INTERNET-INTERFACE

ipchains -A input -d 194.24.227.236 -j i-if

ipchains -A i-if -s 194.24.224.0/27 -j ACCEPT
ipchains -A i-if -i ! ppp0 -j DENY -l
ipchains -A i-if -p TCP --dport 61000:65095 -j ACCEPT
ipchains -A i-if -p UDP --dport 61000:65095 -j ACCEPT
ipchains -A i-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A i-if -p ICMP --icmp-type ping -j ACCEPT
ipchains -A i-if -j icmp-acc
ipchains -A i-if -j DENY -l

# pravidla pro SISTEL-INTERFACE

ipchains -A input -d 192.168.1.1 -j s-if

ipchains -A s-if -i ! eth0 -j DENY -l
ipchains -A s-if -p ICMP --icmp-type ping -j ACCEPT
ipchains -A s-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A s-if -j icmp-acc
ipchains -A s-if -j DENY -l

# vypis pravidel firewallu

ipchains -L -n

---------------------------cat end-------------------------------

Is possible to allow all connection from firewall to the internet?
In example firewall to be ftp client.

But still must be DENY all access from Internet to the firewall.

Thank You for help!


--

S pozdravem,
Michal Kolesar
+420 608 225025
[EMAIL PROTECTED]
http://www.egarden.cz
server of free unix services



S pozdravem,
Michal Kolesar
+420 608 225025
[EMAIL PROTECTED]
http://www.egarden.cz
server of free unix services

ipchains

Reply via email to