Michael Schwendt wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 11 Mar 2003 22:45:17 +0800, [EMAIL PROTECTED] wrote: > > > Hello to you, > > > > After the following "iptables-rules" on Linux Redhat 7.2 Server : > > > > /etc/rc.d/rc.local : > > iptables -F > > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP > > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP > > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j > > DROP > > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP > > iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP > > iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP > > iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > > > > iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT > > iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT > > iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT > > iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP > > > > Then, the Internet users they can only to use the port numbers ( > > services ) : 80 ( Web ) and 53 ( DNS )... > > > > On Linux Redhat 6.x Server, we can only to use "ipchains-rules" > > function : > > You cannot compare iptables and ipchains easily, because in above > rules you used features which are not available with ipchains. > > > ipchains -F > > ipchains -A input -i eth0 -p tcp --dport 80 -j ACCEPT > > ipchains -A input -i eth0 -p tcp --dport 53 -j ACCEPT > > ipchains -A input -i eth0 -p udp --dport 53 -j ACCEPT > > > > But, how can we only allow users to use port numbers ( services ) : 80 ( > > Web ) and 53 ( DNS )... ? > > Be sure to look into setting the "default policies" or add rules at > the end of a chain that drop all other traffic (DENY or REJECT). > > Observe that a connection has two end-points and that at each > end-point, data are both received _and_ sent. In your example of a > web server, your machine receives incoming traffic at _destination_ > port 80, but sends outgoing traffic from _source_ port 80. So, what > you want is to disallow everything and allow only traffic _to_ and > _from_ your ports 80 and 53. > > Add: > > ipchains --policy input DENY > ipchains --policy output DENY > ## Allow outgoing traffic from your HTTP/DNS server. > ipchains -A output -i eth0 -p tcp --sport 80 -j ACCEPT > ipchains -A output -i eth0 -p tcp --sport 53 -j ACCEPT > ipchains -A output -i eth0 -p udp --sport 53 -j ACCEPT > ## Debugging rules. > ipchains -A input -s 0/0 -d 0/0 -l -j REJECT > ipchains -A output -s 0/0 -d 0/0 -l -j REJECT > > Note however, that your set of rules is incomplete, and you would > want to allow access to the loopback device, for instance.
Hello, I'm very hard to study Firewall ( setting )... So, if I only allow the service ( eg : www,smtp,pop3,imap,ftp,dns,telnet,ssh,auth ), how to setup the complete ipchains-rules ? Is there any sample post in here ? Very thank for your help ! Edward. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
