/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
What you want is something like:
ipchains -A isp-in -p TCP ! -y -j ACCEPT
This means "accept tcp packets for established connections,"
meaning replies to connections initiated from the inside network.
This seems to work; I recently tried removing the tcp catchall line
# accept from the masq ports
# ipchains -A isp-in -p TCP -y -d 0/0 61000:65535 -j ACCEPT
from my firewall script, and haven't yet seen any problems. I
haven't yet removed the equivalent line for udp.
You will need to allow udp packets with a source port of 53, if you
want to keep dns working. Hope this helps.
Charlie Shoemaker
From: "Frode Hauge" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Date sent: Sun, 27 May 2001 21:08:05 +0200
Subject: [Masq] IPCHAINS ruleset that blocks all incoming but allows
all
outbound
> /* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
> /* ALSO: Don't quote this header. It makes you look lame :-) */
>
>
> I've scratched my head for a good 2-3 hours now and can't for the life of
> me figure this out. I've hunted the web a bit and can't find anything
> either.
>
> Granted, I may be having a seriously blind day, but here's what I'm trying
> to do:
>
> 1) Block ALL incoming traffic to ALL ports using ALL protocols
> 2) Allow the firewall machine and the masqueraded hosts behind it full
> access.
>
> So, basically, I want to block everything incoming, unless they're packets
> in response to connections alread established from behind the firewall.
>
> The "strong" rulesets I find on the net all seem to do the same thing.
> Blocks
> off some known "nasty" ports, but sets a catch-all rule to allow everything
> else. The stronger they are, the more ports they block, but all seem to have
> that catch-all allow at the end.
>
> Am I a total blockhead at the moment, or doesn't ipchains allow for incoming
> packets on ports established from the firwall machine itself (and any
> masqueraded hosts, of course)? This just seems to unlikely to be the case.
> It shouldn't be able to call itself a firewall if this was true.
>
> If I for the moment ignore the masq issue and just write out the very (I
> thought)
> simple idea as ipchains rules. I'm starting out EXTREMELY simple here. Since
> I can't even get this much working there's not much point adding the more
> "advanced" ideas I had. I chose to use no IPs for this example, the
> interface
> should do the job just fine. But I have tried using IPs too, with no more
> luck:
>
> Default policies = DENY for forwarding, ALLOW for input and output
>
> #Allow all outbound connections on the adsl interface. Nevermind
> #possible spoofing etc, just do it. The policy should allow this, but
> #to illustrate I'll quote it here.
> ipchains -A output -p all -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
>
> #Block all incoming connections on the adsl interface.
> ipchains -A input -p all -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 -j DENY
>
> My logic tells me this should work just dandy. And indeed it seems to..
> Sorta.
> If I add logging and then attempt to connect to irc I get a screen full of
> denies
> from port 6667 of the remote irc server. What baffles me is that, since this
> connection was established via the allowed output rule, the return packets
> are still blocked.
>
> I tried to search the archives, but the webserver just spits out an
> "internal
> error", so no luck there either. Hopefully this hasn't been asked 20 times
> already this week.
>
>
>
> Thanks in advance,
>
>
> Frode
>
> _______________________________________________
> Masq maillist - [EMAIL PROTECTED]
> Admin requests can be handled at http://www.indyramp.com/masq-list/ --
> THIS INCLUDES UNSUBSCRIBING!
> or email to [EMAIL PROTECTED]
>
> PLEASE read the HOWTO and search the archives before posting.
> You can start your search at http://www.indyramp.com/masq/
> Please keep general linux/unix/pc/internet questions off the list.
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
