Re: 2 ipchains questions

To: Tobias Galitzien <tg@channel-one.de>
Cc: debian-user@lists.debian.org
Subject: Re: 2 ipchains questions
From: Andrew Perrin <aperrin@email.unc.edu>
Date: Sun, 27 May 2001 18:54:05 -0500 (EST)
Message-id: <[🔎] Pine.LNX.4.21.0105271852490.2181-100000@nujoma.perrins>
In-reply-to: <[🔎] 20010528001936.A24673@channel-one.de>

Thanks for all this. The reason I'd like the masqueraded connections never
to time out is that I'd like machines on my private network to be able to
maintain connections indefinitely - specifically, IMAP connections. I'd
like to be able to leave an IMAP client running on a machine and not get
TCP/IP Port Reset errors on it.

Andy

----------------------------------------------------------------------
Andrew J Perrin - andrew_perrin@unc.edu - http://www.unc.edu/~aperrin
    Asst Professor of Sociology, U of North Carolina, Chapel Hill
      269 Hamilton Hall, CB#3210, Chapel Hill, NC 27599-3210 USA


On Mon, 28 May 2001, Tobias Galitzien wrote:

> Do something like:
> 
> # for initialisation - deny everything that will not be allowed later...
> 
> ipchains -P input DENY
> ipchains -P forward DENY
> ipchains -P output DENY
> ipchains -F
> 
> # allow local things
> 
> ipchains -A input -j ACCEPT -i lo
> ipchains -A output -j ACCEPT -i lo
> 
> # allow SSH connections from eth1 (and reply packets)
> 
> ipchains -A input -j ACCEPT -p tcp -i eth1 -s 0.0.0.0/0 1024: -d <IP of eth1> 22
> ipchains -A output -j ACCEPT -p tcp -i eth1 -d 0.0.0.0/0 1024: -s <IP of eth1> 22
> 
> AFAIR you don't have to worry about response packets from masqueraded
> connections. They will bypass the input and output chains.
> 
> For the timeout of masquerading see the -S option of ipchains. I think it is
> not the best idea to make connections never time out (quite sure it is not
> even possible) because you will eventually run out of port numbers. Just set
> it to a reasonable high value - like one hour - don't know what the max is.
> 
> 	Tobias
> 
> On Sun, May 27, 2001 at 03:23:58PM -0500, Andrew Perrin wrote:
> > I now have a DSL connection, and as such would like to use ipchains to do
> > the following:
> > 
> > 1.) Deny all incoming packets coming in on eth1 (the card connected to the
> > DSL gateway) except those destined for port 22 (ssh) or ICMP packets, or
> > of course packets responding to outgoing packets; and
> > 
> > 2.) Make masqueraded connections from other machines on my private network
> > never time out.
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
>

Reply to:

Follow-Ups:
- Re: 2 ipchains questions
  - From: Alvin Oga <aoga@Mail.Linux-Consulting.com>

References:
- Re: 2 ipchains questions
  - From: Tobias Galitzien <tg@channel-one.de>

Prev by Date: Re: apt-utils
Next by Date: ugh. more lilo probs
Previous by thread: Re: 2 ipchains questions
Next by thread: Re: 2 ipchains questions
Index(es):
- Date
- Thread