ipchains
Hi.
My network situation:
192.168.1.0/24 192.168.1.1 194.24.227.236
Sistel company LAN --------- (eth0) linux firewall (ppp0) ------------
internet
my ipchains configuration:
---------------- cat begin -------------------
# Vycisteni ipchains
ipchains -F
ipchains -X
# vytvoreni SISTEL--INTERNET
ipchains -N s--i
# vse co prochazi ze SISTEL do INTERNETu
ipchains -A forward -s 192.168.1.0/24 -i ppp0 -j s--i
ipchains -A forward -j DENY -l
ipchains -A s--i -s 192.168.1.20 -j DENY
ipchains -A s--i -s 192.168.1.21 -j DENY
ipchains -A s--i -p tcp --dport www -j MASQ
ipchains -A s--i -p tcp --dport pop3 -j MASQ
ipchains -A s--i -p tcp --dport ftp -j MASQ
ipchains -A s--i -p tcp --dport domain -j MASQ
ipchains -A s--i -p udp --dport domain -j MASQ
ipchains -A s--i -p icmp --icmp-type ping -j MASQ
ipchains -A s--i -p udp --dport 33434:33500 -j MASQ
ipchains -A s--i -j DENY
# definice ICMP-ACCEPT
ipchains -N icmp-acc
ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
# vytvoreni SYSTEL-INTERFACE, INTERNET-INTERFACE
ipchains -N s-if
ipchains -N i-if
# pravidla pro INTERNET-INTERFACE
ipchains -A input -d 194.24.227.236 -j i-if
ipchains -A i-if -s 194.24.224.0/27 -j ACCEPT
ipchains -A i-if -i ! ppp0 -j DENY -l
ipchains -A i-if -p TCP --dport 61000:65095 -j ACCEPT
ipchains -A i-if -p UDP --dport 61000:65095 -j ACCEPT
ipchains -A i-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A i-if -p ICMP --icmp-type ping -j ACCEPT
ipchains -A i-if -j icmp-acc
ipchains -A i-if -j DENY -l
# pravidla pro SISTEL-INTERFACE
ipchains -A input -d 192.168.1.1 -j s-if
ipchains -A s-if -i ! eth0 -j DENY -l
ipchains -A s-if -p ICMP --icmp-type ping -j ACCEPT
ipchains -A s-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A s-if -j icmp-acc
ipchains -A s-if -j DENY -l
# vypis pravidel firewallu
ipchains -L -n
---------------------------cat end-------------------------------
Is possible to allow all connection from firewall to the internet?
In example firewall to be ftp client.
But still must be DENY all access from Internet to the firewall.
Thank You for help!
--
S pozdravem,
Michal Kolesar
+420 608 225025
kolisko@penguin.cz
http://www.egarden.cz
server of free unix services
S pozdravem,
Michal Kolesar
+420 608 225025
kolisko@penguin.cz
http://www.egarden.cz
server of free unix services
Reply to: