/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ Frode, You can't block all the input ports or connections won't make it back in. To keep things from getting inside your network, deny forwarding and block connections to known ports bound to the external NIC that you don't want people to access. If you do a netstat -an and see a port listening on 0.0.0.0, block it unless you want people to access it. Unfortunately ipchains doesn't have the logic that some of the more advanced "stateful" firewalls have on tracking outbound connections and opening the necessary port to get back in. I've barely looked into iptables, but it's supposed to be a lot more advanced so you may wish to look into this though I'm not sure if it will allow what you're wishing. Good luck, Larry Lamb, CCNP, CCDA, MSCE, MCP+I -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Frode Hauge Sent: Sunday, May 27, 2001 3:08 PM To: [EMAIL PROTECTED] Subject: [Masq] IPCHAINS ruleset that blocks all incoming but allows all outbound /* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ I've scratched my head for a good 2-3 hours now and can't for the life of me figure this out. I've hunted the web a bit and can't find anything either. Granted, I may be having a seriously blind day, but here's what I'm trying to do: 1) Block ALL incoming traffic to ALL ports using ALL protocols 2) Allow the firewall machine and the masqueraded hosts behind it full access. So, basically, I want to block everything incoming, unless they're packets in response to connections alread established from behind the firewall. The "strong" rulesets I find on the net all seem to do the same thing. Blocks off some known "nasty" ports, but sets a catch-all rule to allow everything else. The stronger they are, the more ports they block, but all seem to have that catch-all allow at the end. Am I a total blockhead at the moment, or doesn't ipchains allow for incoming packets on ports established from the firwall machine itself (and any masqueraded hosts, of course)? This just seems to unlikely to be the case. It shouldn't be able to call itself a firewall if this was true. If I for the moment ignore the masq issue and just write out the very (I thought) simple idea as ipchains rules. I'm starting out EXTREMELY simple here. Since I can't even get this much working there's not much point adding the more "advanced" ideas I had. I chose to use no IPs for this example, the interface should do the job just fine. But I have tried using IPs too, with no more luck: Default policies = DENY for forwarding, ALLOW for input and output #Allow all outbound connections on the adsl interface. Nevermind #possible spoofing etc, just do it. The policy should allow this, but #to illustrate I'll quote it here. ipchains -A output -p all -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT #Block all incoming connections on the adsl interface. ipchains -A input -p all -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 -j DENY My logic tells me this should work just dandy. And indeed it seems to.. Sorta. If I add logging and then attempt to connect to irc I get a screen full of denies from port 6667 of the remote irc server. What baffles me is that, since this connection was established via the allowed output rule, the return packets are still blocked. I tried to search the archives, but the webserver just spits out an "internal error", so no luck there either. Hopefully this hasn't been asked 20 times already this week. Thanks in advance, Frode _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list. _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
