[OLUG] [ot] ipchains and internet
ktb
xyf at inetnebr.com
Fri Mar 10 02:43:45 UTC 2000
----- Original Message -----
From: puzzled <puzzled at home.com>
To: <olug at bstc.net>
Sent: Thursday, March 09, 2000 8:31 AM
Subject: Re: [OLUG] [ot] ipchains and internet
>
> go to www.freshmeat.net and search for pmfirewall. Install this package
and
> examine what it does ... its the best route I know to a solid firewall
ruleset.
I installed pmfirewall already, thought I could get an understanding but I
kept getting 'Chain name doesn't exist' (or something like that) errors. I
would like to learn how to write chains anyway so I got rid of the program.
> Understand that the odds of you experiencing any trouble with a dial in
> connection are slightly less than zero. I am a channel operator for #hack
on
> undernet and I backhand script kiddies on a regular basis with kick/ban
and
> some times I'm in the mood for testing whats on packetstorm and they make
good
> guinea pigs - I pretty much court disaster from the same static IP on a
regular
> basis and I've only had serious trouble once or twice and then it only
comes
> from the other @s on the channel.
Ok, I'm just interested and want to learn more about Internet security and
at some point I would like to have my own server on the net. I'm not
paranoid yet:)
<snip>
I've been messing with the chains still to no avail. If I set 'input,
output and forward' to ACCEPT I can log into the Internet and view web
pages through Squid on another machine just fine. But when I set everything
to DENY and REJECT and then set up rules to access the Internet I can't. I
can log onto the Internet but I can't ping my isp or view the web with Lynx
from my firewall even though I am online. What am I missing? I set
everything up as you suggested in the last message and I can't ping or
anything. I've also seen another set of rules online that I tried to follow
and still can't ping or use lynx. The new script is below. I have also
tried substituting port 80 with "www" and port 443 with "https"
Thanks,
kent
----------------------------------------------------------------------------
---
ipchains -F input
ipchains -F output
ipchains -F forward
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward REJECT
# www set to fast
ipchains -A output -i ppp0 -p tcp -d 0/0 80 -t 0x01 0x10
# Allow outgoing packets
ipchains -A output -i ppp0 -p tcp -s 192.168.10.1 1024: -d 0/0 80 -j ACCEPT
ipchains -A output -i ppp0 -p tcp -s 192.168.10.1 1024: -d 0/0 443 -j ACCEPT
# Allow returning packets
ipchains -A input -i ppp0 -p tcp ! -y -s 0/0 80 -d 192.168.10.1 1024: -j
ACCEPT
ipchains -A input -i ppp0 -p tcp ! -y -s 0/0 443 -d 192.168.10.1 1024: -j
ACCEPT
ipchains -A output -i ppp0 -p tcp -s 192.168.10.1 1024: -d 0/0 1024:65535 -j
ACCEPT
ipchains -A input -i ppp0 -p tcp ! -y -s 0/0 1024:65535 -d 192.168.10.1
1024:65535 -j ACCEPT
# DNS
ipchains -A output -i ppp0 -p udp -s 192.168.10.1 -d xxx.xxx.xxx.x domain -j
ACCEPT # xxx.xxx.xxx.x my isp's DNS
ipchains -A input -i ppp0 -p udp -s xxx.xxx.xxx.x -d 192.168.10.1 1024: -j
ACCEPT
ipchains -A input -i ppp0 -p icmp -s 0/0 0 -j ACCEPT
ipchains -A input -i ppp0 -p icmp -s 0/0 3 -j ACCEPT
ipchains -A input -i ppp0 -p icmp -s 0/0 4 -j ACCEPT
ipchains -A input -i ppp0 -p icmp -s 0/0 11 -j ACCEPT
ipchains -A input -i ppp0 -p icmp -s 0/0 12 -j ACCEPT
-------------------------------------------------------------------------
Sent by OLUG Mailing list Manager, run by ezmlm. http://olug.bstc.net/
To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`
More information about the OLUG
mailing list