Re: ipchains

To: debian-user@lists.debian.org
Subject: Re: ipchains
From: John Pearson <huiac@camtech.net.au>
Date: Sun, 5 Mar 2000 15:23:27 +1030
Message-id: <[🔎] 20000305152327.A26768@huiac.localnet>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20000304224014.A9100@nowonder.com>; from cgray@nowonder.com on Sat, Mar 04, 2000 at 10:40:14PM -0500
References: <[🔎] 20000304224014.A9100@nowonder.com>

On Sat, Mar 04, 2000 at 10:40:14PM -0500, Chris Gray wrote
> Hi.
> 
> This should be easy, but I just can't figure out how to do it.  All I
> want is to be able to set up a firewall where everything is disabled
> except that I can browse the internet and send/receive email.  I'm
> running some network stuff, but it does not need to be seen by anyone
> else but me.  I thought this would work:
> 
> ipchains -P input DENY
> ipchains -A input -s localhost -j ACCEPT
> 
> but now I can't browse on outside networks.  So I guess I need to run
> a proxy, right?  So I downloaded squid, and have it so that I can
> browse my local network, but it still can't get connections to outside
> networks.  
> 
> Could someone please tell me why this isn't working?  Why does the
> outside net need to connect to my box so that I can browse?  If there
> is a web page that explains things at a little lower level than the
> howtos I'd appreciate that address as well.
> 

I think your problem is that you are thinking in terms of controlling
*connections*, but the ipchains rules govern *packets* in interface
queues.  The rules you've implemented allow data out, but don't let
any data (e.g., web pages, mail messages) back into your machine.

Depending on exactly what you want to acheive, you may be able to
set up your firewall like this:
  - Turn off forwarding on the firewall 
    (echo 0 > /proc/sys/net/ipv4/ip_forward for kernel 2.2);
  - Disable all services on the firewall, except for exim and 
    squid and maybe ssh;
  - Configure squid,ssh, etc. to only accept connections from your
    LAN;
  - Configure exim to receive mail for your LAN; make sure it is
    listed as the best MX for any email addresses corresponding to
    hosts on your LAN, and make sure that it won't relay for other
    machines;
  - Configure LAN clients to use your firewall as a smarthost
    for mail, and as web/ftp proxy.

The default /etc/init.d/netbase also implements some IP spoofing
protection, which is a Good Thing for most people.

If you're concerned to protect yourself from DoS attacks, look
at the Exim configuration pages for information on limiting smtp
connections based on load average, number of simultaneous
connections, spool space and so on.  You may also want to use
ipchains to block built-in services on your firewall (e.g. ports
9 & 13), to prevent them being used in DoS attacks (although,
with an SMTP server running you will always be vulnerable to
some extent).



John P.
-- 
huiac@camtech.net.au
john@huiac.apana.org.au
"Oh - I - you know - my job is to fear everything." - Bill Gates in Denmark

Reply to:

References:
- ipchains
  - From: Chris Gray <cgray@nowonder.com>

Prev by Date: Remote Printing
Next by Date: Re: Framebuffer settings
Previous by thread: Re: ipchains
Next by thread: VMware, and acceleratedX
Index(es):
- Date
- Thread