Re: Debain Firewalls With Slink
- To: debian-firewall@lists.debian.org (Reply requested)
- Subject: Re: Debain Firewalls With Slink
- From: Graham Lillico +44 1785 782329 <graham.lillico@gecm.com>
- Date: Tue, 18 May 1999 13:55:19 +0000 (GMT)
- Message-id: <4719551318051999/A08633/GCSSTF/11D593771200*@MHS>
- In-reply-to: <2945240918051999/A06967/GCSSTF/11D592582C00@bdwmgt.geccs.gecm.com>
Ok I think I have decided on which packages to install what do you think.
Base system (no profile's or tasks)
exim/smail acting as a mail server
squid for web caching
httpd for internal use only
gcc temporarily for kernel recompile
and ipchains
Can anyone take a look at my ipchains rules an tell me if they are ok, I
did the rule from the ipchains howto but I not sure if I got them right, I
have attached them to this email.
Thanks again for everyones help and advice.
Regards
Graham Lillico
#
#!/bin/bash
#
# Deny Everything
#
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
#
# Create ppp-in Chain
#
ipchains -N ppp-in
ipchains -A input -i ppp0 -j ppp-in
ipchains -P ppp-in DENY
#
# Create ppp-out Chain
#
ipchains -N ppp-out
ipchains -A output -i ppp0 -j ppp-out
ipchains -P ppp-out DENY
#
# Flush Previous RuleS
#
ipchains -F input
ipchains -F output
ipchains -F forward
ipchains -F ppp-in
ipchains -F ppp-out
#
# Prevent IP Spoofing
#
ipchains -A ppp-in -s 192.168.0.0/24 -l -j DENY
ipchains -A ppp-in -s 10.0.0.0/24 -l -j DENY
ipchains -A ppp-in -s 127.0.0.0/24 -l -j DENY
#
ipchains -A input -i eth0 -s ! 192.168.2.0/24 -j DENY
ipchains -A input -i ! eth0 -s 192.168.2.0/24 -j DENY
#
# Allow Unlimited Local Network Usage
#
ipchains -A input -i lo -j ACCEPT
ipchains -A input -i eth0 -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -i eth0 -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#
# Allow Local Network Access To Internet Services
#
ipchains -A ppp-in -p tcp ! -y -s 0.0.0.0/0 telnet -i ppp0 -j ACCEPT
ipchains -A ppp-out -p tcp -i ppp0 -d 0.0.0.0/0 telnet -j ACCEPT
#
ipchains -A ppp-in -p tcp ! -y -s 0.0.0.0/0 www -i ppp0 -j ACCEPT
ipchains -A ppp-out -p tcp -i ppp0 -d 0.0.0.0/0 www -j ACCEPT
#
ipchains -A ppp-in -p tcp ! -y -s 0.0.0.0/0 ftp -i ppp0 -j ACCEPT
ipchains -A ppp-out -p tcp -i ppp0 -d 0.0.0.0/0 ftp -j ACCEPT
#
ipchains -A ppp-in -p tcp -s 0.0.0.0/0 ftp-data -i ppp0 -j ACCEPT
ipchains -A ppp-out -p tcp -i ppp0 -d 0.0.0.0/0 ftp-data -j ACCEPT
#
ipchains -A ppp-in -p tcp ! -y -s 0.0.0.0/0 smtp -i ppp0 -j ACCEPT
ipchains -A ppp-out -p tcp -i ppp0 -d 0.0.0.0/0 smtp -j ACCEPT
#
ipchains -A ppp-in -p tcp ! -y -s 0.0.0.0/0 pop3 -i ppp0 -j ACCEPT
ipchains -A ppp-out -p tcp -i ppp0 -d 0.0.0.0/0 pop3 -j ACCEPT
#
ipchains -A ppp-in -p udp -s 0.0.0.0/0 domain -i ppp0 -j ACCEPT
ipchains -A ppp-out -p udp -i ppp0 -d 0.0.0.0/0 domain -j ACCEPT
#
# Deny Access To Specific Hosts/Services
#
Reply to: