[OLUG] [ot] ipchains and internet

ktb xyf at inetnebr.com
Thu Mar 9 06:28:08 UTC 2000


I'm trying to set up ipchains so that I block everything out except Internet
http access and the ability to use my network internally.  I've included the
following script which works except for accessing the Internet.  I basically
copied this script out of "Linux Firewalls."  The book says I need  to be
able to access a DNS and have access to port 80 to access the internet.  I
was wondering if anyone on this list knows chains well enough to suggest how
I would modify this script to access the Internet?  I know most of what the
script is saying I just don't know why it doesn't work.
Thanks,
kent
____________________________________________________________
#!/bin/sh

LOOPBACK_INTERFACE="lo"
LAN_INTERFACE="eth0"
EXTERNAL_INTERFACE="ppp0"

ANYWHERE="any/0"
IPADDR="192.168.xx.x"             #My IP Address
UNPRIVPORTS="1024:65535"
NAMESERVER="xxx.xxx.xxx.x"  # MY ISP's DNS

ipchains -F input
ipchains -F output
ipchains -F forward

ipchains -P input   DENY
ipchains -P output  REJECT
ipchains -P forward REJECT

ipchains -A input  -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

ipchains -A input  -i $LAN_INTERFACE -j ACCEPT
ipchains -A output -i $LAN_INTERFACE -j ACCEPT

# Access DNS
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
         -s $IPADDR $UNPRIVPORTS \
         -d $NAMESERVER 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
         -s $NAMESERVER 53 \
         -d $IPADDR $UNPRIVPORTS -j ACCEPT

# Access Internet
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
         -s $IPADDR $UNPRIVPORTS \
         -d $ANYWHERE 80 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
         -s $ANYWHERE 80 \
         -d $IPADDR $UNPRIVPORTS -j ACCEPT








-------------------------------------------------------------------------
Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/ 
To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net` 



More information about the OLUG mailing list