Linux-Networking Digest #366, Volume #12 Thu, 26 Aug 99 00:13:49 EDT
Contents:
To set up to the internet ("Semegne Tafesse")
Re: Can an ISP detect masquerading? ("Scott Simpson")
Re: Password Syncing between Linux and NT (Charles Weber)
Re: remote lp printing disappearing in bit bucket (Tom Eastep)
Netscape connection problem ("clpchen")
Re: Firewall Rules (Mark Post)
----------------------------------------------------------------------------
From: "Semegne Tafesse" <[EMAIL PROTECTED]>
Subject: To set up to the internet
Date: Wed, 25 Aug 1999 22:16:18 -0400
I do have internet provider but I can not use it on RED HAT 5.2. The red
hat do not recognize the modem, I used the same PPP number do not work out
yet.
Please give me your help.
Thank you
Semegne
------------------------------
From: "Scott Simpson" <[EMAIL PROTECTED]>
Subject: Re: Can an ISP detect masquerading?
Date: Wed, 25 Aug 1999 19:17:52 -0700
Tom Verbeure <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> a tech-guy of my ISP claims that they are able to detect a host running
> Linux IP masquerading (and, of course, that it is forbidden by their
> policy to use this.) Is this true? Are there network expert here who can
> comment on this?
This sounds like bullcrap. How would they know? When you masquerade, Linux
just opens a new port on your box on the Internet side and notes that it is
a masquerade port. The receiving side has no idea whether this port is a
masquerade port or not. Also, there is nothing in an IPv4 packet that says
the box is using masquerading. Correct me if I'm wrong.
Scott
------------------------------
From: Charles Weber <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux,comp.os.linux.admin,comp.os.linux.help
Subject: Re: Password Syncing between Linux and NT
Date: Thu, 26 Aug 1999 02:43:27 GMT
Devin Stewart wrote:
>
> I have a company that uses RH 6.0 for their E-mail server and NT for
> their file and print services. As much as I would love to get rid of
> the NT, it doesn't look like an option. My question is, Is there any
> way to sync up user accounts and passwords betweent the two OS's. Right
> now I have set all of the users shells on the linux box to be
> /usr/bin/passwd and made a shortcut to telnet into the box to change
> it. If it was the same as their NT password, this would be a lot less
> confusing for them.
>
> Devin
Check out the pam smb module. we use it to authenticate our dialin
users on a linux box onto our nt domain. It works like a charm and once
setup you never touch it.
------------------------------
From: Tom Eastep <[EMAIL PROTECTED]>
Subject: Re: remote lp printing disappearing in bit bucket
Date: Thu, 26 Aug 1999 02:53:32 +0000
Wes McClain wrote:
>
> My printer is connected to my RH6.0 machine(ganesh). Set up as follows:
>
> lp:\
> :sd=/var/spool/lpd/lp:\
> :mx#0:\
> :sh:\
> :lp=/dev/lp0:\
> :if=/var/spool/lpd/lp/filter:
>
> Works fine locally and when accessed via samba. However, when I try to
> print to it from my RH5.2 system(shiva) it goes nowhere. The lpd on
> shiva kicks in and the lights on the network hub flash and the drive
> light on ganesh comes on for a second, and then nothing. No left over
> files or anything from the printer. Both machines have samba running,
> and if I configure the priner on ganesh as an smb printer from shiva, it
> works fine, so the problem doesn't appear to be on the ganesh side.
>
> Here's what i've tried in the printcap file on shiva:
>
> lp:rm=ganesh
>
> and
>
> lp:\
> :rm=ganesh\
> :rp=/var/spool/lpd/lp:
>
> both of which have exactly the same result -- aparent pass off to
> ganesh, but then the print file just vanishes into the bit bucket.
>
> Anyone have any ideas as to what's going on. According to the books and
> docs I have on hand, the first try should have worked, but they are a
> bit on old side...
Be sure that the printer (on the system that the printer is attached to)
isn't defined with the 'rs' option (in /etc/printcap). Also, the lpd
included in the RH distribution seems to require all users forwarding
printed output to be defined on the system where the printer actually
lives. You can either define all users there or search deja.news for a
patch that I posted 12-18 months ago that circumvents this problem (I
just looked for it on my systems and didn't find it - I finally started
just defining everyone on the printer's system).
-Tom
--
Tom Eastep | Opinions expressed here
[EMAIL PROTECTED] | are my own and not
Work: [EMAIL PROTECTED] | those of my employer
Shoreline, Washington USA |
------------------------------
From: "clpchen" <[EMAIL PROTECTED]>
Subject: Netscape connection problem
Date: Wed, 25 Aug 1999 21:57:26 -0500
Hi,
I can connect to my ISP(MSN), but I can not use Netscape 4.61 to connect
other Web site. Anyone can help me solve this problem. Thanks in advance.
I am using Linux Mandrake 6.0.
------------------------------
From: [EMAIL PROTECTED] (Mark Post)
Subject: Re: Firewall Rules
Date: Thu, 26 Aug 1999 02:28:17 GMT
On Wed, 25 Aug 1999 15:23:48 -0000, "Robert_Glover"
<Please_reply_to@newsgroup> wrote:
-snip-
>PS. Okay, some of that was touge-in-cheek -- I'm not really that bad,
>but I do want to see the "paranoid" rules.
Here's what I created today by using the web-based tool at
http://rlz.ne.mediaone.net/linux/firewall/index.html
#
#
============================================================================
# Copyright (C) 1997, 1998, 1999 Robert L. Ziegler
#
# Permission to use, copy, modify, and distribute this software and its
# documentation for educational, research, private and non-profit purposes,
# without fee, and without a written agreement is hereby granted.
# This software is provided as an example and basis for individual firewall
# development. This software is provided without warranty.
#
# Any material furnished by Robert L. Ziegler is furnished on an
# "as is" basis. He makes no warranties of any kind, either expressed
# or implied as to any matter including, but not limited to, warranty
# of fitness for a particular purpose, exclusivity or results obtained
# from use of the material.
#
============================================================================
#
# /etc/rc.d/rc.firewall
# Invoked from /etc/sysconfig/network-scripts/ifdhcpc-done.
echo "Starting firewalling... "
# Some definitions for easy maintenance.
ANYWHERE="any/0"
#
============================================================================
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
EXTERNAL_INTERFACE="eth0" # whichever you use
LOCAL_INTERFACE_1="eth1" # whichever you use
LOCALNET_1="192.168.0.10/24" # whatever private range you use
SMTP_SERVER="any/0" # Your external server. Your relay.
POP_SERVER="pop.server.com" # Your external server.
NEWS_SERVER="news.server.com"
WEB_PROXY_SERVER="proxy.server.com"
NAMESERVER_1="123.456.78.91"
NAMESERVER_2="123.456.79.91"
#
============================================================================
IPADDR="123.45.67.89"
LOOPBACK_INTERFACE="lo"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
MULTICAST="240.0.0.0/3"
BROADCAST_0="0.0.0.0"
BROADCAST_1="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"
RESTRICTED_PORTS="2049" # (TCP/UDP) NFS
RESTRICTED_OPENWINDOWS="2000" # (TCP) openwindows
OPENWINDOWS_EXCEPTION="my.openwindows.machine"
# X Windows port allocation begins at 6000 and increments
# for each additional server running.
RESTRICTED_XWINDOWS="6000:6001" # (TCP) X windows
XWINDOWS_EXCEPTION="my.xwindows.machine"
# SSH starts at 1023 and works down to 513 for
# each additional simultaneous incoming connection.
SSH_PORTS="1020:1023" # range for SSH privileged ports
#
============================================================================
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections
# Remove all existing rules belonging to this filter
ipchains -F
# Set the default policy of the filter to deny.
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
#
============================================================================
# Network Ghouls
# Deny access to jerks
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY
# rules to block from any access.
# Refuse any connection from problem sites
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
. /etc/rc.d/rc.firewall.blocked
fi
#
============================================================================
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse spoofed packets pretending to be to or from the external address.
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -l -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -d $IPADDR -l -j REJECT
# Refuse packets claiming to be to or from a Class A private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -l -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -l -j REJECT
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -l -j REJECT
# Refuse packets claiming to be to or from a Class B private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -l -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -l -j REJECT
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -l -j REJECT
# Refuse packets claiming to be to or from a Class C private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -l -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -l -j REJECT
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -l -j REJECT
# Refuse packets claiming to be to or from the loopback interface
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $LOOPBACK -l -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -l -j REJECT
ipchains -A output -i $EXTERNAL_INTERFACE -d $LOOPBACK -l -j REJECT
# Refuse broadcast address SOURCE packets
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_1 -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_0 -l -j DENY
# Refuse multicast/anycast/broadcast addresses (in.h) (NET-3-HOWTO)
ipchains -A input -i $EXTERNAL_INTERFACE -s $MULTICAST -l -j DENY
#
============================================================================
# ICMP
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: Echo_Reply
# 3: Dest_Unreachable, Network_Unavailable, Service_Unavailable, etc.
# 4: Source_Quench
# 5: Redirect
# 8: Echo_Request
# 11: Time_Exceeded
# 12: Parameter_Problem
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 0 -d $IPADDR -l -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 3 -d $IPADDR -l -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 4 -d $IPADDR -l -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 11 -d $IPADDR -l -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 12 -d $IPADDR -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 3 -d $ANYWHERE -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 4 -d $ANYWHERE -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 8 -d $ANYWHERE -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 12 -d $ANYWHERE -l -j ACCEPT
#
============================================================================
# Disallow certain outgoing traffic to protect yourself from mistakes.
# openwindows: establishing a connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $OPENWINDOWS_EXCEPTION $RESTRICTED_OPENWINDOWS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE $RESTRICTED_OPENWINDOWS -j REJECT
# Xwindows: establishing a connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $XWINDOWS_EXCEPTION $RESTRICTED_XWINDOWS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE $RESTRICTED_XWINDOWS -j REJECT
#
============================================================================
# LOOPBACK
# Unlimited traffic on the loopback interface.
ipchains -A input -i $LOOPBACK_INTERFACE -l -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -l -j ACCEPT
#
============================================================================
# NOTE:
# The symbolic names used in /etc/services for the port numbers vary by
# supplier. Using them is less error prone and more meaningful, though.
#
============================================================================
# TCP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
# Deny access to the NFS, openwindows and X windows unpriveleged ports
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $RESTRICTED_PORTS -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-s $OPENWINDOWS_EXCEPTION \
-d $IPADDR $RESTRICTED_OPENWINDOWS -l -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $RESTRICTED_OPENWINDOWS -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-s $XWINDOWS_EXCEPTION \
-d $IPADDR $RESTRICTED_XWINDOWS -l -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $RESTRICTED_XWINDOWS -l -j DENY
# SOCKS: incoming connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-s $ANYWHERE \
-d $IPADDR 1080 -j DENY
#
============================================================================
# UDP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-d $IPADDR $RESTRICTED_PORTS -l -j DENY
# UDP INCOMING TRACEROUTE
# traceroute usually uses -S 32769:65535 -D 33434:33523
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE 32769:65535 \
-d $IPADDR 33434:33523 -l -j DENY
#
============================================================================
# DNS client (53)
# ---------------
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -l -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -l -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -l -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -l -j ACCEPT
#
============================================================================
# TCP accept only on selected ports
# ---------------------------------
# ------------------------------------------------------------------
# SSH server (22)
# ---------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 22 -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 22 \
-d $ANYWHERE $UNPRIVPORTS -l -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $SSH_PORTS \
-d $IPADDR 22 -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 22 \
-d $ANYWHERE $SSH_PORTS -l -j ACCEPT
# SSH client (22)
# ---------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 22 \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 22 -l -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 22 \
-d $IPADDR $SSH_PORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $SSH_PORTS \
-d $ANYWHERE 22 -l -j ACCEPT
# ------------------------------------------------------------------
# HTTP client (80)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 80 \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 80 -l -j ACCEPT
# ------------------------------------------------------------------
# HTTPS client (443)
# ------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 443 \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 443 -l -j ACCEPT
# ------------------------------------------------------------------
# WWW-CACHE client ()
# ----------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $WEB_PROXY_SERVER \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $WEB_PROXY_SERVER -l -j ACCEPT
# ------------------------------------------------------------------
# POP client (110)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $POP_SERVER 110 \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $POP_SERVER 110 -l -j ACCEPT
# ------------------------------------------------------------------
# NNTP NEWS client (119)
# ----------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NEWS_SERVER 119 \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NEWS_SERVER 119 -l -j ACCEPT
# ------------------------------------------------------------------
# FINGER client (79)
# ------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 79 \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 79 -l -j ACCEPT
# ------------------------------------------------------------------
# AUTH server (113)
# -----------------
# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE \
-d $IPADDR 113 -l -j REJECT
# AUTH client (113)
# -----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 113 \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 113 -l -j ACCEPT
# ------------------------------------------------------------------
# SMTP client (25)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $SMTP_SERVER 25 \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $SMTP_SERVER 25 -l -j ACCEPT
# ------------------------------------------------------------------
# SOCKS5 client (1080)
# --------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 1080 \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 1080 -l -j ACCEPT
# ------------------------------------------------------------------
# IRC client (6667)
# -----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 6667 \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 6667 -l -j ACCEPT
# ------------------------------------------------------------------
# FTP client (20, 21)
# -------------------
# outgoing request
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 21 \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 21 -l -j ACCEPT
# NORMAL mode data channel
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE 20 \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
# NORMAL mode data channel responses
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 20 -l -j ACCEPT
# PASSIVE mode data channel creation
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE $UNPRIVPORTS -l -j ACCEPT
# PASSIVE mode data channel responses
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
# ------------------------------------------------------------------
# WHOIS client (43)
# -----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 43 \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 43 -l -j ACCEPT
#
============================================================================
# UDP accept only on selected ports
# ---------------------------------
# ------------------------------------------------------------------
# NTP TIME clients (123)
# ----------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s time.server1.com 123 \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d time.server1.com 123 -l -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s time.server2.com 123 \
-d $IPADDR $UNPRIVPORTS -l -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d time.server2.com 123 -l -j ACCEPT
# ------------------------------------------------------------------
# OUTGOING TRACEROUTE
# -------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 32769:65535 \
-d $ANYWHERE 33434:33523 -j ACCEPT
#
============================================================================
# Unlimited traffic within the local network.
# All internal machines have access to the fireall machine.
ipchains -A input -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -l -j ACCEPT
ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -l -j ACCEPT
#
============================================================================
# Masquerade internal traffic.
# All internal traffic is masqueraded externally.
ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ
#
============================================================================
# Enable logging for selected denied packets
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -d $IPADDR -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $IPADDR $PRIVPORTS
-l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $IPADDR $UNPRIVPORTS
-l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 5 -d $IPADDR -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 13:18 -d $IPADDR -l -j DENY
#
============================================================================
echo "done"
exit 0
#
============================================================================
# NOTE for DHCP users:
#
# The following is an example
"/etc/sysconfig/network-scripts/ifdhcpc-done".
# DHCP clients through at least version "dhcpcd-0.70-2" used the "-c"
# mechanism to specify a program to execute whenever dhcpcd successfully
# received an IP address.
#
# As presented, the example "ifdhcpc-done" updates your host IP address in
# /etc/hosts and updates the NAMESERVER definitions in the hostinfo file.
#
#-------------------------------- CUT HERE ---------------------------
#!/bin/sh -x
# Get the pid of the process which is waiting for this to complete.
# If the wait file doesn't exist, either the parent timed out, or
# the dhcp server is issuing a new IP address.
SLEEPPIDFILE=/var/run/dhcp-wait-${IFNAME}.pid
if [ -f $SLEEPPIDFILE ]; then
SLEEPPID=`cat $SLEEPPIDFILE`
rm -f $SLEEPPIDFILE
kill $SLEEPPID
else
echo "DHCP is configured, but ifup may have timed out." > /dev/console
fi
#---------------------------------------------------------------------
# RedHat Versions thru 5.2 use /etc/dhcpc/hostinfo-eth0
# Future releases (RedHat development releases) use
/etc/dhcpc/dhcpcd-eth0.info
if [ -f /etc/dhcpc/hostinfo-eth0 ]; then
hostinfo="/etc/dhcpc/hostinfo-eth0"
elif [ -f /etc/dhcpc/dhcpcd-eth0.info ]; then
hostinfo="/etc/dhcpc/dhcpcd-eth0.info"
else
echo "DHCP is configured, but ifup may have timed out." > /dev/console
exit 1
fi
# get the hostinfo
. $hostinfo
# Update domainname
domain=`fgrep domain /etc/dhcpc/resolv.conf | sed -e "s/domain //"`
domainname $domain
# Update /etc/hosts
# Some services will break without this, unless you use localhost (eg. pop)
sed -e "s/^.*YOU/$IPADDR YOU.$domain YOU/" /etc/hosts >
/var/tmp/hosts
cp /var/tmp/hosts /etc/hosts
rm /var/tmp/hosts
#---------------------------------------------------------------------
# Update $hostinfo with the current nameservers from /etc/resolv.conf.
# Thanks to Roger Goun for the idea of appending these to $hostinfo and
# getting rid of the temporary file.
let cnt=1
fgrep nameserver /etc/dhcpc/resolv.conf | sed -e "s/nameserver //" |
while read naddr
do
echo NAMESERVER_$cnt="$naddr" >> $hostinfo
let cnt=$cnt+1
done
#---------------------------------------------------------------------
cp /etc/dhcpc/resolv.conf /etc
sh /etc/rc.d/rc.firewall
echo "Firewalling enabled." > /dev/console
To send me email, replace 'nospam' with 'home'.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
