[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ipchains firewalling question

On Wed, 1 Sep 1999, Patrick Olson wrote:

> I am thinking of using IP chains to tighten security a little on my Debian
> 2.1 box.  Currently, I have it set up as follows:
> ipchains -P forward DENY
> ipchains -A forward -s -j MASQ
> Below is a much more involved setup I created based on the information in
> the HOW-TO. The goal is to cut off access to any ports that I never use,
> and limit access to some of the ports I do use.  Could you please take a
> look at it and let me know what you think? 
> I have the following specific questions:
> 1. Have I made any mistakes that could cause really annoying problems?
>    (perhaps unintentionally blocking something that shouldn't be blocked) 

if you use dhcp for anything, you must enable source/destination for as well as the routes for this. This caught me some time
ago :(

> 2. Is it safe to allow all input from localhost and output to localhost
>    as I have done?

I think that this is indeed a must for certain apps. IIRC named need it.

> 3. Are the lines that allow ICMP the right thing to do so ping will work?
>    (also, the HOW-TO warned about not blocking ICMP type 3).
> 4. Are the SMTP and POP3 ports as secure as possible while still
>    allowing fetchmail and sendmail to work?

maybe you could specify the source/destination for this rule.

> 5. Will my lines to block all communication with ads3.inet1.com work?
>    (If I had a fast Internet connection, I wouldn't mind banner ads)
> 6. Any other comments or suggestions?

seems to me that the syntax is wrong. ipchains syntax for setting
destination port is --dport. -p is for protocol.

so you should change your lines accordingly.

> --- begin list of ipchains commands ---
> ipchains -P input DENY
> ipchains -P output DENY
> ipchains -P forward DENY
> # allow anything local
> ipchains -A input  -s -j ACCEPT
> ipchains -A output -d -j ACCEPT
> # allow ICMP
> ipchains -A input  -p icmp -j ACCEPT
> ipchains -A output -p icmp -j ACCEPT
> # allow FTP, telnet, DNS, WWW and IRC in both directions
> ipchains -A input  -p 20 -j ACCEPT

ipchains -A input --dport 20 -j ACCEPT
ipchains -A input -p ftp-data -j ACCEPT


> ipchains -A input  -p 21 -j ACCEPT
> ipchains -A input  -p 23 -j ACCEPT
> ipchains -A input  -p 53 -j ACCEPT
> ipchains -A input  -p 80 -j ACCEPT
> ipchains -A input  -p 194 -j ACCEPT
> ipchains -A output -p 20 -j ACCEPT
> ipchains -A output -p 21 -j ACCEPT
> ipchains -A output -p 23 -j ACCEPT
> ipchains -A output -p 53 -j ACCEPT
> ipchains -A output -p 80 -j ACCEPT
> ipchains -A output -p 194 -j ACCEPT
> # allow me to use fetchmail
> ipchains -A output -p 110 -j ACCEPT
> # allow outgoing SMTP
> ipchains -A output -p 25 -j ACCEPT
> # allow netbios stuff on eth0
> ipchains -A input  -i eth0 -p 137 -j ACCEPT
> ipchains -A input  -i eth0 -p 138 -j ACCEPT
> ipchains -A input  -i eth0 -p 139 -j ACCEPT
> ipchains -A output -i eth0 -p 137 -j ACCEPT
> ipchains -A output -i eth0 -p 138 -j ACCEPT
> ipchains -A output -i eth0 -p 139 -j ACCEPT
> # allow communication with my ISP's proxy
> ipchains -A input  -p 3128 -j ACCEPT
> ipchains -A output -p 3128 -j ACCEPT
> # kill some of those annoying banner advertisements
> ipchains -A input  -s ads3.inet1.com -j DENY
> ipchains -A output -s ads3.inet1.com -j DENY
> # anything that makes it through the input and output filters can be
> # masqueraded for certain local systems
> ipchains -A forward -s -j MASQ
> --- end list of ipchains commands ---
> I would really appreciate some feedback on this so that I will know if I
> am getting it right or making mistakes.  
> Thanks in advance,
> Patrick Olson
> -- 
> Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null

Mario O.de Menezes            "Many are the plans in a man's heart, but
    IPEN-CNEN/SP                 is the Lord's purpose that prevails"
http://curiango.ipen.br/~mario                 Prov. 19.21

Reply to: