[OLUG] firewall ruleset now works

puzzled puzzled at home.com
Fri Mar 10 06:19:16 UTC 2000 


   Notice my incredible technological advance of *not* formatting this
information with HTML. Took me longer to clean the tags out of it that
to fix it. I leave the placement of ! -y to those more paranoid than I
... works fine on my box. Note that you have a *long* way to go if you
want to provide service to other systems behind the firewall. You can't
just turn on masquerading and expect this to do anything ... its too
paranoid :-)



/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
/sbin/ipchains -P input DENY
/sbin/ipchains -P output REJECT
/sbin/ipchains -P forward REJECT


# www set to fast. nothing is fast on a dial in connection :-)
#/sbin/ipchains -A output -i eth1 -p tcp -d 0/0 80 -t 0x01 0x10

# Allow outgoing packets - this works for web only
/sbin/ipchains -A output -i eth1 -p tcp -s 24.3.233.101  -d 0/0 80 -j
ACCEPT
/sbin/ipchains -A output -i eth1 -p tcp -s 24.3.233.101  -d 0/0 443 -j
ACCEPT

# Allow returning packets for web only
/sbin/ipchains -A input -i eth1 -p tcp  -s 0/0 80 -d 24.3.233.101 1024:
-j ACCEPT
/sbin/ipchains -A input -i eth1 -p tcp  -s 0/0 443 -d 24.3.233.101 1024:
-j ACCEPT

# DNS like I said *must* have TCP/53 as well as UDP/53 if we really want
DNS to work
/sbin/ipchains -A output -i eth1 -p udp -s 24.3.233.101 -d 24.3.232.33
53    -j ACCEPT
/sbin/ipchains -A output -i eth1 -p tcp -s 24.3.233.101 -d 24.3.232.33
53    -j ACCEPT
/sbin/ipchains -A input  -i eth1 -p udp -s 24.3.232.33  -d 24.3.233.101
1024: -j ACCEPT
/sbin/ipchains -A input  -i eth1 -p tcp -s 24.3.232.33  -d 24.3.233.101
1024: -j ACCEPT

# ICMP isn't much use if its only allowed to return to you, eh?
/sbin/ipchains -A output -i eth1 -p icmp -s 24.3.233.101 -d 0/0 -j
ACCEPT

# original ICMP rules
/sbin/ipchains -A input -i eth1 -p icmp -s 0/0 0 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p icmp -s 0/0 3 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p icmp -s 0/0 4 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p icmp -s 0/0 11 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p icmp -s 0/0 12 -j ACCEPT


-------------------------------------------------------------------------
Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/ 
To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`

More information about the OLUG mailing list