[OLUG] [ot] ipchains and internet
puzzled
puzzled at home.com
Thu Mar 9 14:31:57 UTC 2000
go to www.freshmeat.net and search for pmfirewall. Install this package and
examine what it does ... its the best route I know to a solid firewall ruleset.
Understand that the odds of you experiencing any trouble with a dial in
connection are slightly less than zero. I am a channel operator for #hack on
undernet and I backhand script kiddies on a regular basis with kick/ban and
some times I'm in the mood for testing whats on packetstorm and they make good
guinea pigs - I pretty much court disaster from the same static IP on a regular
basis and I've only had serious trouble once or twice and then it only comes
from the other @s on the channel.
I see a couple of things that need to change here if you really want to write
your own ruleset by hand:
DNS starts with UDP/53 but if the reply is larger than 512 bytes a TCP
connection is established to return the information - just duplicate the DNS
entries with the protocol of TCP in addition to UDP.
You allow port 80 (http) but not port 443 (secure http). Duplicate the
entries for http with this port number.
You might want to get familiar with tcpdump if you really want to hand tune a
ruleset. When you start having trouble you run tcpdump to see exactly what is
happening. If you're not familiar with sniffers I'd suggest you immediately
proceed to Borders and get copy of W Richard Stevens TCP/IP illustrated volume
one. Illustrated is kind of a lie - its all text tcpdump stuff - if you want
real 'illustration' there is a package called ethereal that works pretty well
as a graphical analyzer - its an easier way to learn IMHO.
ktb wrote:
> I'm trying to set up ipchains so that I block everything out except Internet
> http access and the ability to use my network internally. I've included the
> following script which works except for accessing the Internet. I basically
> copied this script out of "Linux Firewalls." The book says I need to be
> able to access a DNS and have access to port 80 to access the internet. I
> was wondering if anyone on this list knows chains well enough to suggest how
> I would modify this script to access the Internet? I know most of what the
> script is saying I just don't know why it doesn't work.
> Thanks,
> kent
> ____________________________________________________________
> #!/bin/sh
>
> LOOPBACK_INTERFACE="lo"
> LAN_INTERFACE="eth0"
> EXTERNAL_INTERFACE="ppp0"
>
> ANYWHERE="any/0"
> IPADDR="192.168.xx.x" #My IP Address
> UNPRIVPORTS="1024:65535"
> NAMESERVER="xxx.xxx.xxx.x" # MY ISP's DNS
>
> ipchains -F input
> ipchains -F output
> ipchains -F forward
>
> ipchains -P input DENY
> ipchains -P output REJECT
> ipchains -P forward REJECT
>
> ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
> ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
>
> ipchains -A input -i $LAN_INTERFACE -j ACCEPT
> ipchains -A output -i $LAN_INTERFACE -j ACCEPT
>
> # Access DNS
> ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR $UNPRIVPORTS \
> -d $NAMESERVER 53 -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> -s $NAMESERVER 53 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> # Access Internet
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 80 -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 80 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> -------------------------------------------------------------------------
> Sent by OLUG Mailing list Manager, run by ezmlm. http://olug.bstc.net/
> To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`
-------------------------------------------------------------------------
Sent by OLUG Mailing list Manager, run by ezmlm. http://olug.bstc.net/
To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`
More information about the OLUG
mailing list