Re: Question about ipchains

Mon, 26 Mar 2001 12:02:55 -0600 

On Mon, Mar 26, 2001 at 02:55:56PM -0300, Pedro Zorzenon Neto wrote:
> Hi all,
> 
> I have a computer with potato that is a gateway for my intranet. It has real 
> IP, while the intranet has 192.168.1.x IP's.
> Several services are running on it but I'd like only ssh, ntp and https to be 
> available to the outside world.
> 
> So, I thought this ipchains rules could help:
> 
> Chain input (policy REJECT):
> target     prot opt     source                destination           ports
> # accept everything from localhost
> ACCEPT     all  ------  127.0.0.1            0.0.0.0/0             n/a
> # reply ping packets
> ACCEPT     icmp ------  0.0.0.0/0            0.0.0.0/0             * ->   *
> # next 2 lines: accept tcp/udp all ports for internal network
> ACCEPT     tcp  ------  192.168.1.0/24       0.0.0.0/0             * ->   *
> ACCEPT     udp  ------  192.168.1.0/24       0.0.0.0/0             * ->   *
> # allow ssh from outside
> ACCEPT     tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   22
> # allow ntp from outside
> ACCEPT     udp  ------  0.0.0.0/0            0.0.0.0/0             * ->   123
> # allow https from outside
> ACCEPT     tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   443
> # does not accept outside coneections to postgres
> REJECT     tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   5432
> # this next 2 lines I didn't understand why, but someone told me to put it to 
> accept response packets. what is this???
> ACCEPT     tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   
> 1024:65535
> ACCEPT     udp  ------  0.0.0.0/0            0.0.0.0/0             * ->   
> 1024:65535
> Chain forward (policy MASQ):
> Chain output (policy ACCEPT):
> 
> Do you think that is a safe configuration for ipchains to protect the 
> computer from the outside world? why do I need the last 2 lines of input 
> chain?
It accepts all other traffic to non-privileged ports. i prefer to
allow traffic without the syn flag (not initiating a new connection)
only, not all misc traffic, it's more secure, the way to do it is
like:
ipchains -A input -s 0/0 -d 0/0 1024:65535 -p tcp ! -y -j ACCEPT
ipchains -A input -s 0/0 -d 0/0 1024:65535 -p udp ! -y -j ACCEPT


Read the ipchains howto for more info
-- 
,-------------------------------------------.
> Name:           Alson van der Meulen      <
> Personal:       [EMAIL PROTECTED]       <
> School:       [EMAIL PROTECTED]    <
`-------------------------------------------'
Nobody was using that file /vmunix, were they?
---------------------------------------------

Reply via email to