/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Trent Cook wrote:
> I have a working IPCHAINS box...runs great. I have now tried to setup a box
> with 3 nics, routing, and ipchains.
>
> The new box works just as it should, well sort of. 1st its running RH6.2 and
> I havent done any updates on the box yet (kernel etc) could this cause the
> following problem?
no, that'd be your firewall rules. but you should update the kernel
to something > 2.2.15
> Problem is that the box works great as long as input and output policies are
> accept, OR I have an allow all to anywhere rule at the end.
>
> I would like to limit traffic, and find it odd that if the policy is deny, I
> have a mess of restrictions (ftp block, chat, etc etc) then at the end I have
> my allow all rule as I am still testing the script, it allows ALL TRAFFIC. It
> will not block the previous rules I specified?
>
> IE:
> ipchains -A input -i $internalnic --dport 1:21 -p tcp -j DENY
> ipchains -A input -i $internalnic --dport 1:21 -p udp -j DENY
>
> Shouldnt that block out FTP? Maybe I am way off here. (probably the case)
among other things but only from $internalnic. this will only stop
users of your masqueraded network from ftp'ing anything. it won't
stop external users ftp'ing your hosts and it won't stop you ftp'ing
from the masquerading host itself. is that what you intended?
keep working at it until you get it right with a default input/output
policy of deny/reject. a policy of accept is the high-maintenance
approach to security :)
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
