<delurking>
Hi,
Before you deploy your firewall rules, plan beforehand what policy you
want to do.
There 2 ways you can do this:
1. Deny default policy and selectively allow.
2. Allow default policy and selectively deny.
<comments below>
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, August 02, 2002 8:43 PM
Subject: [plug] ipchains config
> Hi all!
>
> I'm fiddling with ipchains for the first time and it's cool!
>
> The problem is that now I can't surf the web or ping any other servers. I
> guess it's because I set it up to only let packts in from certain servers.
> How does one set up ipchains so I can surf and pong?
>
> Here's what I've got in my script. Addresses and interface names have been
> changed to "protect the innocent". Any help wopuld be greatly appreciated.
> I miss surfing already...
>
> Thanks! God bless!
> --------------------------------------------------------------------------
>
> #!/bin/bash
> #
> # This is an ipchains configuration script. It does the
> # following:
> #
> # 1. Flushes old rulesets
> # 2. Set default policies
> # 3. Allow local interfaces (loopback and eth0)
> # 4. Deny address block we should never see including the local address
> # block (192.168.1.0-24)
> # 5. Allow some inbound services
> # 6. Allow DNS query responses
> # 7. Deny all other packets and log them
> #
> #
> # Flush old rulesets
> #
> ipchains -F input
> ipchains -F output
> ipchains -F forward
> #
> #
> # Set default policies
> #
> ipchains -P input DENY
> ipchains -P output ACCEPT
> ipchains -P forward ACCEPT
> #
> #
> # Allow local interface
> #
> ipchains -A input -i lo -j ACCEPT
> #
> #
> # Deny address blocks we should never see including our local address
> # block and log them
> #
> ipchains -A input -i <interfacex> -s 10.0.0.0/8 -j DENY -l
> ipchains -A input -i <interfacex> -s 172.16.0.0/12 -j DENY -l
> ipchains -A input -i <interfacex> -s 198.168.1.0/24 -j DENY -l
****The 3 lines above can be disregarded since every input is
deny by default policy, unless the point of these rules are for logging in
which
case it is not advised for prolonged use since it will quickly fill up the
log files.
> #
> #
> # Allow incoming mail from ISP's mailserver and POP3 response
> #
> ipchains -A input -i <interfacex> -p tcp -s xxx.xxx.xxx.xxx -j ACCEPT
> ipchains -A input -i <interfacex> -p tcp -s xxx.xxx.xxx.xxx --sport 110 -j
ACCEPT
****Does the linux box itself will do the pop3 checking? if not, then you
must
add the forward chain with MASQ action, but if you'll use forwarding
you must enable it first by echoing "1" to /proc/sys/net/ipv4/ip_forward
Since you want to surf and ping, and assuming you don't have a web proxy
yet,
you must allow masquerading to tcp packets going to port 80 & 443 and allow
icmp masquerading as well.
> #
> #
> # Allow DNS query responses from DNS
> #
> ipchains -A input -i <interfacex> -p udp -s xxx.xxx.xxx.xxx 53 -j ACCEPT
> ipchains -A input -i <interfacex> -p tcp -s xxx.xxx.xxx.xxx 53 -j ACCEPT
> ipchains -A input -i <interfacex> -p udp -s xxx.xxx.xxx.xxx 53 -j ACCEPT
> ipchains -A input -i <interfacex> -p tcp -s xxx.xxx.xxx.xxx 53 -j ACCEPT
***Same thing apply to these lines, use forward chains in combi with input
> #
> #
> # Deny all other packets and log them
> #
> ipchains -A input -j DENY -l
> #
> # End of script
>
>
> -- [Manny Amador] ----------------------------- [[EMAIL PROTECTED]] --
> Member: Philippine League for Democratic Telecommunications, Inc.
> "Affordable Access for All!"
> -- [Distributed Development Network (DDN)] ------- [www.distdev.com] --
> _
> Philippine Linux Users Group. Web site and archives at
http://plug.linux.org.ph
> To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
>
> To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
