[KLUG Members] IPChains problem

Rusty Yonkers members@kalamazoolinux.org
Tue, 11 Jun 2002 12:06:16 -0700 (PDT)

Previous message: [KLUG Members] IPChains problem
Next message: [KLUG Members] IPChains problem
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--
> I think my problem is elsewhere. Let's take a look at my refined
> ruleset:
>
> #accept HTTP and FTP from anywhere, in and outbound 
> # (http and ftp servers on the local host)
> -A input -s $myip -d 0/0 80 -p tcp -b -j ACCEPT
Try 

-A input -s 0/0 1024: -d $myip 1024: -p tcp -b -j ACCEPT

This should work well.  You do not have to worry about guarding
against the syn attack since you are running a server and by
definition have to be able to receive syn packets (this is one area I
was wrong in earlier).  This will prevent a packet coming from a
client using a port below 1024.  You can do the reverse but this
thinks of your machine as the destination (which is the way I like to
think of the server machine).  

> -A input -s $myip -d 0/0 20 -p tcp -b -j ACCEPT
> -A input -s $myip -d 0/0 21 -p tcp -b -j ACCEPT

For ftp try 

-A input -s 0/0 1024: -d $myip 21 -p tcp -j ACCEPT
-A input -s $myip 20 -d 0/0 1024: -p tcp -j ACCEPT

This will setup your server.  If you want to use the computer as an
ftp client as well I would setup a second set of rules so that you
can clearly tell that you are allowing the machine to be an ftp
client.  This rule set would look like:

-A input -s $myip 1024: -d 0/0 21 -p tcp -j ACCEPT
-A input -s 0/0 20 -d $myip 1024: -p tcp -j ACCEPT

I always want to be able to clearly tell what the script is doing.  I
also copiously comment my rules.  

> 
> # accept DNS from my DNS server (TCP or UDP)
> -A input -s $dns 53 -j ACCEPT

Try

-A input -s 0/0 1024: -s $dns 53 -p udp -b -j ACCEPT

> -A input -l -j DENY
> 
> myip is my IP address.
> dns  is the dns server address.

By the way is the dns server behind the firewall server or is it
another machine on the Internet??



=====
Truth is truth ... no matter what I think...
-----------------------------------------
Department of Redundancy Department
-----------------------------------------
Devoted RedHat fan...

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

Previous message: [KLUG Members] IPChains problem
Next message: [KLUG Members] IPChains problem
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]