[KLUG Members] IPChains problem

Adam Williams members@kalamazoolinux.org
09 Jun 2002 09:11:35 -0400

Previous message: [KLUG Members] IPChains problem
Next message: [KLUG Members] Hercules Open Source IBM Mainframe Emulator ...
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>This might seem like a trivial example to some, but since I'm 
>fairlky new to ipchains/iptables, I thought I would ask this
>one, since [a] I need an answer, and [b] it's a good, fairly 
>simple question that applies to ipchains and iptables, too(IMO).
>What I want to do....
>I want to stop anything BUT http (80) ssh (22), DNS (53) ftp
>(20/21), and ICMP messages (the consequences of blocking those
>are fairly clear and nasty) for getting IN or OUT of this box.
> These rules seem to be real successful in keeping everything
>else OUT:
>-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
>-A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT
>-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
>-A input -s ! here 1027 -p tcp -y -j REJECT
>-A input -s 0/0 -d 0/0 -i eth0 -j ACCEPT
>-A input -s thedns 53 -d 0/0 -p udp -j ACCEPT
>-A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
>-A input -s 0/0 -d 0/0 -p udp -j REJECT

What is your default policy?

What does the forward chain look like?

>Note: "here" is the ip address of the interface on the local 
>machine, "thedns" is the primary dns server for this host. 

What is the rational behind
-A input -s ! here 1027 -p tcp -y -j REJECT
I don't 'get' that one?

>For some reason I thought it would be better to apply this
>to the forward chain:
>-A forward -s here 80 -d 0/0 -p tcp -y -j ACCEPT
>-A forward -s here 21 -d 0/0 -p tcp -y -j ACCEPT
>-A forward -s here 22 -d 0/0 -p tcp -y -j ACCEPT
>-A forward -s here 53 -d 0/0 -p tcp -y -j ACCEPT
>-A forward -s here 53 -d 0/0 -p udp -j ACCEPT
>-A forward -s here 53 -d thedns -p udp -j ACCEPT
>-A forward -s here 53 -d thedns -p tcp -j ACCEPT
>-A forward -s here -d 0/0 -p ! icmp -j REJECT -l

You should be able to control traffic on the 'input' chain.
 
>Doesn't seem to help. I can STILL contact an NNTP (port 119)

Does HTTP work?

>server, for example, with either chain (or both) in place.
>If anyone has any sage advice, show me where I've simply missed
>the boat, or can otherwise reduce my evident ignorance, I'll
>be in your debt... well, not forever, but for at least a really
>long time...

Previous message: [KLUG Members] IPChains problem
Next message: [KLUG Members] Hercules Open Source IBM Mainframe Emulator ...
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]