Re: Question about ipchains
On Mon, Mar 26, 2001 at 02:55:56PM -0300, Pedro Zorzenon Neto wrote:
> Hi all,
>
> I have a computer with potato that is a gateway for my intranet. It has real IP, while the intranet has 192.168.1.x IP's.
> Several services are running on it but I'd like only ssh, ntp and https to be available to the outside world.
>
> So, I thought this ipchains rules could help:
>
> Chain input (policy REJECT):
> target prot opt source destination ports
> # accept everything from localhost
> ACCEPT all ------ 127.0.0.1 0.0.0.0/0 n/a
> # reply ping packets
> ACCEPT icmp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
> # next 2 lines: accept tcp/udp all ports for internal network
> ACCEPT tcp ------ 192.168.1.0/24 0.0.0.0/0 * -> *
> ACCEPT udp ------ 192.168.1.0/24 0.0.0.0/0 * -> *
> # allow ssh from outside
> ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 22
> # allow ntp from outside
> ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 123
> # allow https from outside
> ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 443
> # does not accept outside coneections to postgres
> REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 5432
> # this next 2 lines I didn't understand why, but someone told me to put it to accept response packets. what is this???
> ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1024:65535
> ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1024:65535
> Chain forward (policy MASQ):
> Chain output (policy ACCEPT):
>
> Do you think that is a safe configuration for ipchains to protect the computer from the outside world? why do I need the last 2 lines of input chain?
It accepts all other traffic to non-privileged ports. i prefer to
allow traffic without the syn flag (not initiating a new connection)
only, not all misc traffic, it's more secure, the way to do it is
like:
ipchains -A input -s 0/0 -d 0/0 1024:65535 -p tcp ! -y -j ACCEPT
ipchains -A input -s 0/0 -d 0/0 1024:65535 -p udp ! -y -j ACCEPT
Read the ipchains howto for more info
--
,-------------------------------------------.
> Name: Alson van der Meulen <
> Personal: alson@linuxfreak.nl <
> School: alson@gymnasiumleiden.nl <
`-------------------------------------------'
Nobody was using that file /vmunix, were they?
---------------------------------------------
Reply to: