[olug] firewall script
Phil Brutsche
pbrutsch at creighton.edu
Wed Sep 20 00:12:34 UTC 2000
A long time ago, in a galaxy far, far way, someone said...
> I was just looking over my firewall script and was wondering if udp/tcp input
> could be affecting my box's inability to ping my DNS??
>
> Gary Martin
>
> mesc wrote:
>
> > I went to http://www.linux-firewall-tools.com/linux/firewall/index.html
> > and had a firewall written for my box and named it rc.firewall and put
> > it in /etc/rc.d.When I boot up it reads starting firewalling........
> > then hangs until I hit ^C then the bootup process resumes normally.Once
> > I'm booted up I can't go anywhere on the net,I get the unknown host
> > error in netscape.I can ping my box but when I ping my domain name
> > server I get operation not permited then the usual ping info with 0
> > packets recieved.Here are some parts of my firewall script to look at.If
> > they aren't the right parts just let me know and I'll send more.
> >
> > # Set the default policy of the filter to deny
> > ipchains -P input DENY
> > ipchains -P output REJECT
> > ipchains -P forward DENY
I think you've gone a little overboard with your firewall script: you're
denying *everything* except DNS (and maybe even that, I didn't look very
closely at your script).
With your script you might as well not have an internet connection.
This would be a good script to start off with (it's some really
stripped-down output from pmfirewall, which some people like), although it
has some flaws:
ipchains -F
ipchains -P input DENY
ipchains -P forward REJECT
ipchains -A input -s 127.0.0.1 -j ACCEPT
ipchains -A input -p tcp -s 0/0 53 -d 0/0 1024: -j ACCEPT
ipchains -A input -p udp -s 0/0 53 -d 0/0 1024: -j ACCEPT
ipchains -A input -p tcp -s 0/0 80 -d 0/0 1024: -j ACCEPT
ipchains -A input -p tcp -s 0/0 443 -d 0/0 1024: -j ACCEPT
An explanation: When you start a web connection, you typically connect to
port 80 on the web server, which then makes a connection *back* to you
from port 80. Since ipchains doesn't have any way of knowing that the
connection back to you is related to an already established connection,
you have to tell it to allow anything coming from port 80.
Port 443 is used by https and is subject to the same problem. Ditto with
DNS.
Bonus points for the first guy that can make that work with iptables in
two lines ie:
iptables -P ...
iptables -A INPUT ...
:)
--
----------------------------------------------------------------------
Phil Brutsche pbrutsch at creighton.edu
"There are two things that are infinite; Human stupidity and the universe.
And I'm not sure about the universe." - Albert Einstein
---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net
More information about the OLUG
mailing list