-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 13 Mar 2003 14:26:15 +0800, [EMAIL PROTECTED] wrote:
> Now, we want to allow users they can only to use the following port numbers > ( services ), but we may need someone to help to check and modify the > "rules"... > > ipchains -F > > ipchains -A input -i eth0 -p tcp --dport 20 -j ACCEPT > ipchains -A input -i eth0 -p tcp --dport 21 -j ACCEPT > ipchains -A input -i eth0 -p tcp --dport 22 -j ACCEPT > ipchains -A input -i eth0 -p tcp --dport 25 -j ACCEPT > ipchains -A input -i eth0 -p tcp --dport 80 -j ACCEPT > ipchains -A input -i eth0 -p tcp --dport 53 -j ACCEPT > ipchains -A input -i eth0 -p udp --dport 53 -j ACCEPT > ipchains -A input -i eth0 -p tcp --dport 110 -j ACCEPT > ipchains -A input -i eth0 -p tcp --dport 143 -j ACCEPT > ipchains -A input -i eth0 -p tcp --dport 113 -j ACCEPT > ipchains -A input -i eth0 -p udp --dport 113 -j ACCEPT > ipchains -A input -i eth0 -p tcp ! -y -j ACCEPT > > ipchains --policy input DENY > ipchains --policy output DENY > > ipchains -A output -i eth0 -p tcp --sport 20 -j ACCEPT > ipchains -A output -i eth0 -p tcp --sport 21 -j ACCEPT > ipchains -A output -i eth0 -p tcp --sport 22 -j ACCEPT > ipchains -A output -i eth0 -p tcp --sport 25 -j ACCEPT > ipchains -A output -i eth0 -p tcp --sport 110 -j ACCEPT > ipchains -A output -i eth0 -p tcp --sport 143 -j ACCEPT > ipchains -A output -i eth0 -p tcp --sport 113 -j ACCEPT > ipchains -A output -i eth0 -p udp --sport 113 -j ACCEPT > ipchains -A output -i eth0 -p tcp --sport 80 -j ACCEPT > ipchains -A output -i eth0 -p tcp --sport 53 -j ACCEPT > ipchains -A output -i eth0 -p udp --sport 53 -j ACCEPT > ipchains -A output -i eth0 -p tcp ! -y -j ACCEPT > > ## Debugging rules. > ipchains -A input -s 0/0 -d 0/0 -l -j REJECT > ipchains -A output -s 0/0 -d 0/0 -l -j REJECT > > PS : if DON'T set "! -y -j ACCEPT" , can't connect to outside... - From where? Forwarded traffic maybe? With only TCP packets without the SYN flag set you cannot "connect" anyway. If you add rules that don't fit into the concept of above set of rules, we should stop this here. If your host is going to be not only a server (I had asked about that before), but also a client and gateway at the same time, you would need much more (in the forward chain, for instance) to create a good ruleset which still protects your host at least a bit. Without a detailed description of your network topology and the desired flow of traffic, this discussion is a waste of time. - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+cGao0iMVcrivHFQRAjsHAJ0S15MU7csW6VkO4EmfuZTV3LoKKgCfbtOv 19nUcMbYDxUM7XqplATGfMw= =CPr8 -----END PGP SIGNATURE----- -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
