ipchains

To: <debian-security@lists.debian.org>
Subject: ipchains
From: "- = k o l i s k o = -" <kolisko@penguin.cz>
Date: Mon, 19 Feb 2001 16:58:41 +0100
Message-id: <01a301c09a8c$d51388a0$17e018c2@datac.cz>

Hi.

My network situation:


192.168.1.0/24                 192.168.1.1                194.24.227.236
Sistel company LAN  --------- (eth0)   linux firewall  (ppp0)  ------------
internet

my ipchains configuration:

---------------- cat begin -------------------

# Vycisteni ipchains

ipchains -F
ipchains -X

# vytvoreni SISTEL--INTERNET

ipchains -N s--i

# vse co prochazi ze SISTEL do INTERNETu

ipchains -A forward -s 192.168.1.0/24 -i ppp0 -j s--i
ipchains -A forward -j DENY -l

ipchains -A s--i -s 192.168.1.20 -j DENY
ipchains -A s--i -s 192.168.1.21 -j DENY
ipchains -A s--i -p tcp --dport www -j MASQ
ipchains -A s--i -p tcp --dport pop3 -j MASQ
ipchains -A s--i -p tcp --dport ftp -j MASQ
ipchains -A s--i -p tcp --dport domain -j MASQ
ipchains -A s--i -p udp --dport domain -j MASQ
ipchains -A s--i -p icmp --icmp-type ping -j MASQ
ipchains -A s--i -p udp --dport 33434:33500 -j MASQ
ipchains -A s--i -j DENY

# definice ICMP-ACCEPT

ipchains -N icmp-acc

ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT

# vytvoreni SYSTEL-INTERFACE, INTERNET-INTERFACE

ipchains -N s-if
ipchains -N i-if

# pravidla pro INTERNET-INTERFACE

ipchains -A input -d 194.24.227.236 -j i-if

ipchains -A i-if -s 194.24.224.0/27 -j ACCEPT
ipchains -A i-if -i ! ppp0 -j DENY -l
ipchains -A i-if -p TCP --dport 61000:65095 -j ACCEPT
ipchains -A i-if -p UDP --dport 61000:65095 -j ACCEPT
ipchains -A i-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A i-if -p ICMP --icmp-type ping -j ACCEPT
ipchains -A i-if -j icmp-acc
ipchains -A i-if -j DENY -l

# pravidla pro SISTEL-INTERFACE

ipchains -A input -d 192.168.1.1 -j s-if

ipchains -A s-if -i ! eth0 -j DENY -l
ipchains -A s-if -p ICMP --icmp-type ping -j ACCEPT
ipchains -A s-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A s-if -j icmp-acc
ipchains -A s-if -j DENY -l

# vypis pravidel firewallu

ipchains -L -n

---------------------------cat end-------------------------------

Is possible to allow all connection from firewall to the internet?
In example firewall to be ftp client.

But still must be DENY all access from Internet to the firewall.

Thank You for help!


--

S pozdravem,
Michal Kolesar
+420 608 225025
kolisko@penguin.cz
http://www.egarden.cz
server of free unix services



S pozdravem,
Michal Kolesar
+420 608 225025
kolisko@penguin.cz
http://www.egarden.cz
server of free unix services

Reply to:

Prev by Date: Re: secure install
Next by Date: SSH and RSA
Previous by thread: Re: piercing ipmasq
Next by thread: SSH and RSA
Index(es):
- Date
- Thread