Jon,
Here's an edited version of the ipchains script I use at startup...it
could have a few errors since I did this in email and didn't try it out. =^)
#!/bin/sh
#Firewall Configuration
echo "Establishing Firewalling..."
# Setup our default policies (deny by default on input and forward chains)
ipchains -P input DENY
ipchains -P forward DENY
# Define an inbound chain for our ISP
ipchains -N isp-in
ipchains -A input -i ppp0 -j isp-in
# Define an outbound chain for our ISP
ipchains -N isp-out
ipchains -A output -i ppp0 -j isp-out
# Define RFC1918 (172.16.16.0) inbound chain (internal network)
ipchains -N rfc-in
ipchains -A input -i eth0 -j rfc-in
# Define RFC1918 (172.16.16.0) outbound chain
ipchains -N rfc-out
ipchains -A output -i eth0 -j rfc-out
# ISP inbound rules
# don't allow our internal address to come in from the ISP
ipchains -A isp-in -s 172.16.16.0/24 -l -j DENY
# accept echo-reply
ipchains -A isp-in -p ICMP -s 0.0.0.0/0 echo-reply -j ACCEPT
# accept time-exceeded (for downed hosts/traceroutes)
ipchains -A isp-in -p ICMP -s 0.0.0.0/0 time-exceeded -j ACCEPT
# accept destination-unreachable
ipchains -A isp-in -p ICMP -s 0.0.0.0/0 destination-unreachable -j ACCEPT
# accept all tcp connections inbound that are already established
ipchains -A isp-in -p TCP ! -y -j ACCEPT
# accept web traffic inbound (for a web server)
ipchains -A isp-in -p TCP -d 0.0.0.0/0 www -j ACCEPT
# accept ident traffic (IRC mostly)
ipchains -A isp-in -p TCP -d 0.0.0.0/0 113 -l -j ACCEPT
# accept traffic bound for the MASQ ports.
ipchains -A isp-in -p TCP -d 0.0.0.0/0 60000:65535 -j ACCEPT
ipchains -A isp-in -p UDP -d 0.0.0.0/0 60000:65535 -j ACCEPT
# ISP outbound rules
# some sanity checks for ICMP
ipchains -A isp-out -p ICMP -s 0.0.0.0/0 echo-request -j ACCEPT
ipchains -A isp-out -p ICMP -j DENY
# RFC1918 inbound rules
# accept local traffic inbound (since we told the input chain to deny by default)
ipchains -A rfc-in -s 172.16.16.0/24 -j ACCEPT
# RFC1918 outbound rules
# Configure Masquerading and Forwarding
# define our masq rule
ipchains -A forward -s 172.16.16.0/24 -d 0.0.0.0/0 -j MASQ
# Localhost permissions
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
also, I have a script which removes the firewall so I can edit
and manually reload the firewall script.
#!/bin/sh
#Firewall Removal
ipchains -F input
ipchains -F output
ipchains -F forward
ipchains -F isp-in
ipchains -F isp-out
ipchains -F rfc-in
ipchains -F rfc-out
ipchains -X isp-in
ipchains -X isp-out
ipchains -X rfc-in
ipchains -X rfc-out
ipchains -P input ACCEPT
Since I'm running an internal (RFC net) DNS server (to accumulate my
local network (via the NT WINS->DNS features) and external DNS
into one place), I have no need to allow DNS requests in specifically
(handled by ip_masq) - you'll probably need to add a rule that allows
DNS traffic back to your Linux box.
let me know if you have any problems.
-C
At 10:27 AM 11/7/98 -0500, you wrote:
>I'm looking for some sample scripts to help me set up ipchains. I can't
>quite set things right using only the HOWTO.
>
>I've got a RH5.1 box w/krnl 2.1.125, a eth0 connected to wife's Win95
>comp, and a ppp0 connected (not permanently) to my ISP. She's running
>Netscape 4.05.
>
>Can anyone send me a copy of their scripts, if they have a similiar
>setup (you can replace the IP #s with something for safety reasons). I
>could figure it out if I had a starting point, I just can seem to find a
>starting point in the HOWTO (I don't know why, everyone but me seems to
>think it's easy).
>
>I would appreciate the help.
>
>--
>________________________________________
>Jonathan Pennington
>-Student Anthropologist/Geologist
>-Linux User and Advocate
>-Bart Simpson Sympathizer
>
>Email at jwp(at)awod.com
>_______________________________________
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>For daily digest info, email [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
