Ipchains
Hello Group,
I have been running ipchains on a Debian Potato for awhile now. Everythin
g seems to be working great. I do however wonder how secure me firewall
really is. Being a newbie to linux I have a few questions. I am using
a proxy and when I tell me clients not to use the proxy they still can.
Should that be happening? Also I want to use the mod ip_masq_icq,
ip-masq-ftp etc. Shouldnt I make a rule to DENY all outbound internet
traffic make the most of the mod's? Bassically I want a firewall that
not only filters incoming but outgoing. I have attached my firewall
script. Please look at it and give me your opinion. Any help would
be great.
--
If Windows is the answer, then I want the problems back!
Powered by Debian GNU/Linux.
http://www.debian.org
MY_IP=63.207.XXX.XXX
echo -n "Enabling Firewall.."
#Flush ipchains configuration
ipchains -F
#IP spoofing protection
ipchains -A input -j REJECT -s 127.0.0.0/8 -i ! lo
ipchains -A input -j REJECT -s $MY_IP -i ! lo
# Block FTP
/sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP ftp -p tcp -j REJECT
/sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP ftp-data -p tcp -j REJECT
# Allow local network in to FTP
/sbin/ipchains -I input 1 -s 192.168.1.0/24 -d $MY_IP ftp -p tcp -j ACCEPT
/sbin/ipchains -I input 1 -s 192.168.1.0/24 -d $MY_IP ftp-data -p tcp -j ACCEPT
# Block Telnet
/sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP telnet -p tcp -j REJECT
# Allow local network in to telnet
/sbin/ipchains -I input 1 -s 192.168.1.0/24 -d $MY_IP telnet -p tcp -j ACCEPT
# Block SecureShell
/sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP 22 -p tcp -j REJECT
# Allow local network in to ssh
/sbin/ipchains -I input 1 -s 192.168.1.0/24 -d $MY_IP 22 -p tcp -j ACCEPT
# Allow aphro in to ssh
/sbin/ipchains -I input 1 -s 209.162.145.0/24 -d $MY_IP 22 -p tcp -j ACCEPT
/sbin/ipchains -I input 1 -s 209.102.24.0/24 -d $MY_IP 22 -p tcp -j ACCEPT
/sbin/ipchains -I input 1 -s 216.228.68.0/24 -d $MY_IP 22 -p tcp -j ACCEPT
# Allow neutec in to ssh
/sbin/ipchains -I input 1 -s 63.196.XXX.XXX/24 -d $MY_IP 22 -p tcp -j ACCEPT
# Block connections to lpd
/sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP printer -p tcp -j REJECT
# Allow Connections from local network to printer
/sbin/ipchains -I input 1 -s 192.168.1.0/24 -d $MY_IP printer -p tcp -j ACCEPT
# Block connections to pop3
/sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP 110 -p tcp -j REJECT
# Allow connections from local network to pop3
/sbin/ipchains -I input 1 -s 192.168.1.0/24 -d $MY_IP 110 -p tcp -j ACCEPT
# Block connections to Finger Service
/sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP 79 -p tcp -j DENY
# Block connection to NetBios
/sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP 139 -p tcp -j DENY
/sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP 139 -p udp -j DENY
# Block connection to HTTP
/sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP 80 -p tcp -j DENY
# Block Ident
/sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP 113 -p tcp -j DENY
# Block HTTPS
/sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP 443 -p tcp -j DENY
# Block IMAP
/sbin/ipchains -A input -s 0.0.0.0/0 -d $MY_IP 143 -p tcp -j DENY
echo -n "Enabling IP Masqing for 192.168.1.0 Network .."
ipchains -P forward DENY
ipchains -A forward -j MASQ -s 192.168.1.0/0 -d 0.0.0.0/0
echo "done,"
echo -n "Turning on IP Forwarding .."
echo "1" >/proc/sys/net/ipv4/ip_forward
echo "done."
Reply to:
- Follow-Ups:
- Re: Ipchains
- From: Catalin Ciocoiu <catalin.ciocoiu@connex.ro>