Re: Question about ipchains

To: Debian Security Mailing List <debian-security@lists.debian.org>
Subject: Re: Question about ipchains
From: Alson van der Meulen <alson@linuxfreak.nl>
Date: Mon, 26 Mar 2001 20:01:34 +0200
Message-id: <[🔎] 20010326200134.S19493@md2.mediadesign.nl>
Mail-followup-to: Debian Security Mailing List <debian-security@lists.debian.org>
In-reply-to: <[🔎] 20010326145556.A876@mantis.autsens.localnet>; from pzn@terra.com.br on Mon, Mar 26, 2001 at 02:55:56PM -0300
References: <[🔎] 20010326145556.A876@mantis.autsens.localnet>

On Mon, Mar 26, 2001 at 02:55:56PM -0300, Pedro Zorzenon Neto wrote:
> Hi all,
> 
> I have a computer with potato that is a gateway for my intranet. It has real IP, while the intranet has 192.168.1.x IP's.
> Several services are running on it but I'd like only ssh, ntp and https to be available to the outside world.
> 
> So, I thought this ipchains rules could help:
> 
> Chain input (policy REJECT):
> target     prot opt     source                destination           ports
> # accept everything from localhost
> ACCEPT     all  ------  127.0.0.1            0.0.0.0/0             n/a
> # reply ping packets
> ACCEPT     icmp ------  0.0.0.0/0            0.0.0.0/0             * ->   *
> # next 2 lines: accept tcp/udp all ports for internal network
> ACCEPT     tcp  ------  192.168.1.0/24       0.0.0.0/0             * ->   *
> ACCEPT     udp  ------  192.168.1.0/24       0.0.0.0/0             * ->   *
> # allow ssh from outside
> ACCEPT     tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   22
> # allow ntp from outside
> ACCEPT     udp  ------  0.0.0.0/0            0.0.0.0/0             * ->   123
> # allow https from outside
> ACCEPT     tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   443
> # does not accept outside coneections to postgres
> REJECT     tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   5432
> # this next 2 lines I didn't understand why, but someone told me to put it to accept response packets. what is this???
> ACCEPT     tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   1024:65535
> ACCEPT     udp  ------  0.0.0.0/0            0.0.0.0/0             * ->   1024:65535
> Chain forward (policy MASQ):
> Chain output (policy ACCEPT):
> 
> Do you think that is a safe configuration for ipchains to protect the computer from the outside world? why do I need the last 2 lines of input chain?
It accepts all other traffic to non-privileged ports. i prefer to
allow traffic without the syn flag (not initiating a new connection)
only, not all misc traffic, it's more secure, the way to do it is
like:
ipchains -A input -s 0/0 -d 0/0 1024:65535 -p tcp ! -y -j ACCEPT
ipchains -A input -s 0/0 -d 0/0 1024:65535 -p udp ! -y -j ACCEPT


Read the ipchains howto for more info
-- 
,-------------------------------------------.
> Name:           Alson van der Meulen      <
> Personal:       alson@linuxfreak.nl       <
> School:       alson@gymnasiumleiden.nl    <
`-------------------------------------------'
Nobody was using that file /vmunix, were they?
---------------------------------------------

Reply to:

Follow-Ups:
- Re: Question about ipchains
  - From: Ethan Benson <erbenson@alaska.net>

References:
- Question about ipchains
  - From: Pedro Zorzenon Neto <pzn@terra.com.br>

Prev by Date: Question about ipchains
Next by Date: mysql not on security.debian.org?
Previous by thread: Question about ipchains
Next by thread: Re: Question about ipchains
Index(es):
- Date
- Thread