Re: ipchains firewalling question
On Wed, 1 Sep 1999, Patrick Olson wrote:
>
>
> I am thinking of using IP chains to tighten security a little on my Debian
> 2.1 box. Currently, I have it set up as follows:
>
> ipchains -P forward DENY
> ipchains -A forward -s 192.168.1.9/255.255.255.255 -j MASQ
>
> Below is a much more involved setup I created based on the information in
> the HOW-TO. The goal is to cut off access to any ports that I never use,
> and limit access to some of the ports I do use. Could you please take a
> look at it and let me know what you think?
>
> I have the following specific questions:
> 1. Have I made any mistakes that could cause really annoying problems?
> (perhaps unintentionally blocking something that shouldn't be blocked)
if you use dhcp for anything, you must enable source/destination for
255.255.255.255 as well as the routes for this. This caught me some time
ago :(
> 2. Is it safe to allow all input from localhost and output to localhost
> as I have done?
I think that this is indeed a must for certain apps. IIRC named need it.
> 3. Are the lines that allow ICMP the right thing to do so ping will work?
> (also, the HOW-TO warned about not blocking ICMP type 3).
> 4. Are the SMTP and POP3 ports as secure as possible while still
> allowing fetchmail and sendmail to work?
maybe you could specify the source/destination for this rule.
> 5. Will my lines to block all communication with ads3.inet1.com work?
> (If I had a fast Internet connection, I wouldn't mind banner ads)
> 6. Any other comments or suggestions?
seems to me that the syntax is wrong. ipchains syntax for setting
destination port is --dport. -p is for protocol.
so you should change your lines accordingly.
>
> --- begin list of ipchains commands ---
>
> ipchains -P input DENY
> ipchains -P output DENY
> ipchains -P forward DENY
>
> # allow anything local
> ipchains -A input -s 127.0.0.1 -j ACCEPT
> ipchains -A output -d 127.0.0.1 -j ACCEPT
>
> # allow ICMP
> ipchains -A input -p icmp -j ACCEPT
> ipchains -A output -p icmp -j ACCEPT
>
> # allow FTP, telnet, DNS, WWW and IRC in both directions
> ipchains -A input -p 20 -j ACCEPT
ipchains -A input --dport 20 -j ACCEPT
or
ipchains -A input -p ftp-data -j ACCEPT
...
> ipchains -A input -p 21 -j ACCEPT
> ipchains -A input -p 23 -j ACCEPT
> ipchains -A input -p 53 -j ACCEPT
> ipchains -A input -p 80 -j ACCEPT
> ipchains -A input -p 194 -j ACCEPT
>
> ipchains -A output -p 20 -j ACCEPT
> ipchains -A output -p 21 -j ACCEPT
> ipchains -A output -p 23 -j ACCEPT
> ipchains -A output -p 53 -j ACCEPT
> ipchains -A output -p 80 -j ACCEPT
> ipchains -A output -p 194 -j ACCEPT
>
> # allow me to use fetchmail
> ipchains -A output -p 110 -j ACCEPT
>
> # allow outgoing SMTP
> ipchains -A output -p 25 -j ACCEPT
>
> # allow netbios stuff on eth0
> ipchains -A input -i eth0 -p 137 -j ACCEPT
> ipchains -A input -i eth0 -p 138 -j ACCEPT
> ipchains -A input -i eth0 -p 139 -j ACCEPT
>
> ipchains -A output -i eth0 -p 137 -j ACCEPT
> ipchains -A output -i eth0 -p 138 -j ACCEPT
> ipchains -A output -i eth0 -p 139 -j ACCEPT
>
> # allow communication with my ISP's proxy
> ipchains -A input -p 3128 -j ACCEPT
> ipchains -A output -p 3128 -j ACCEPT
>
> # kill some of those annoying banner advertisements
> ipchains -A input -s ads3.inet1.com -j DENY
> ipchains -A output -s ads3.inet1.com -j DENY
>
> # anything that makes it through the input and output filters can be
> # masqueraded for certain local systems
>
> ipchains -A forward -s 192.168.1.9/255.255.255.255 -j MASQ
>
> --- end list of ipchains commands ---
>
> I would really appreciate some feedback on this so that I will know if I
> am getting it right or making mistakes.
>
> Thanks in advance,
> Patrick Olson
>
>
> --
> Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
>
Mario O.de Menezes "Many are the plans in a man's heart, but
IPEN-CNEN/SP is the Lord's purpose that prevails"
http://curiango.ipen.br/~mario Prov. 19.21
Reply to: