hey all, i recently built a debian box and i'm giving it my first attempt at ipchains. I read the HOWTO and found it to be fairly non-practical. It's more of an ipchains manual, not really a howto. Anyway, I have a basic script that's giving me a bit of trouble. I start out with DENY on input, output and forward, and the accept rules on input are giving me some problems. anyway, here it is ------ cut here ----- #!/bin/sh # reset everything /sbin/ipchains -F # deny outside /sbin/ipchains -P input DENY /sbin/ipchains -P forward DENY # outcoming is ok /sbin/ipchains -P output ACCEPT # taken from the ipchains howto # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) # /sbin/ipchains -M -S 7200 10 160 # enable ip masq /sbin/ipchains -A forward -i eth1 -s 10.10.10.0/24 -j MASQ # set up incoming # allow ssh in /sbin/ipchains -A input -i eth1 -p TCP -s 0/0 -d 0/0 ssh -j ACCEPT /sbin/ipchains -A input -i eth1 -p UDP -s 0/0 -d 0/0 ssh -j ACCEPT # allow ftp /sbin/ipchains -A input -i eth1 -p TCP -s 0/0 -d 0/0 ftp -j ACCEPT /sbin/ipchains -A input -i eth1 -p TCP -s 0/0 -d 0/0 ftp-data -j ACCEPT # allow domain /sbin/ipchains -A input -i eth1 -p TCP -s 0/0 -d 0/0 domain -j ACCEPT /sbin/ipchains -A input -i eth1 -p UDP -s 0/0 -d 0/0 domain -j ACCEPT # web /sbin/ipchains -A input -i eth1 -p TCP -s 0/0 -d 0/0 www -j ACCEPT /sbin/ipchains -A input -i eth1 -p UDP -s 0/0 -d 0/0 www -j ACCEPT # cvs /sbin/ipchains -A input -i eth1 -p TCP -s 0/0 -d 0/0 cvspserver -j ACCEPT # icmp is ok /sbin/ipchains -A input -i eth1 -p ICMP -j ACCEPT # internal is good, open up /sbin/ipchains -A input -i eth0 -p TCP -j ACCEPT /sbin/ipchains -A input -i eth0 -p UDP -j ACCEPT /sbin/ipchains -A input -i eth0 -p ICMP -j ACCEPT --- cut here ---- my internal nic is eth0, and the external one is eth1. With these rules, no packets go in or out? What am I missing? thanks -Gabe
