Re: ipchains question

To: debian-user@lists.debian.org
Subject: Re: ipchains question
From: cjw44@flatline.org.uk (Colin Watson)
Date: Tue, 09 May 2000 22:53:17 +0100
Message-id: <[🔎] E12pHwL-0003jm-00@riva.ucam.org>
In-reply-to: <[🔎] 20000509115605.A1033@pobox.com>
References: <[🔎] 20000509115605.A1033@pobox.com>

"Eric Gillespie, Jr." <epg@pobox.com> wrote:
>I'd like to set up ipchains so that no on can connect to my
>dialup computer at all except for identd (for IRC). I read the
>Firewall and IPCHAINS howtos, as well as the ipchains man page,
>and it looks like the following lines should do what i want:
>
>ipchains -P input DENY
>ipchains -I input -p all -s localhost -j ACCEPT
>ipchains -I input -p icmp -j ACCEPT
>ipchains -I input -p tcp --dport 113 -j ACCEPT
>
>Unfortunately, they don't.

The person who said that connections are bi-directional was correct, but
not in saying that you need a complementary output rule for everything
(that'll just make it worse ...). You should look at the -y (or --syn)
option to ipchains, which will allow you to control the packets that
*initiate* connections, then just let all non-SYN TCP packets through.

You might need to allow UDP (or certain bits of it) through too,
depending on what you're doing; for instance, a caching nameserver will
want to talk UDP.

-- 
Colin Watson                                     [cjw44@flatline.org.uk]

Reply to:

Follow-Ups:
- Re: ipchains question
  - From: kvaughan@bc.cc.ca.us
- Re: ipchains question
  - From: Oswald Buddenhagen <ob6@inf.tu-dresden.de>

References:
- ipchains question
  - From: "Eric Gillespie, Jr." <epg@pobox.com>

Prev by Date: Re: kernel: compiler error in function gen_rtx_combine
Next by Date: Re: [mod_perl] Mini HOWTO
Previous by thread: Re: ipchains question
Next by thread: Re: ipchains question
Index(es):
- Date
- Thread