Firewalls, ipchains, help requested

From: Robert Harley (Robert.Harley@inria.fr)
Date: Fri May 18 2001 - 05:49:53 PDT

• Next message: ThosStew@aol.com: "Re: Aliterative, not alliterative"
• Previous message: boymeyersd@msn.com: "I could assist you! 21717"
• Next in thread: Jeff Barr: "RE: Firewalls, ipchains, help requested"
• Reply: Jeff Barr: "RE: Firewalls, ipchains, help requested"
• Reply: Dhiren Patel: "Re: Firewalls, ipchains, help requested"

Are any FoRKers intimate with the details of ipchains?

I've got RedHat 7.1 with all updates on an IBM xSeries 220 connected
via PPPoE over an ADSL network terminator (Alcatel Speed Touch Home).

I want to do normal stuff like web surfing, telnet outwards... and
serve Web pages with Apache at: http://217.11.171.36/

How to keep the huns out?

I browsed around for ipchains rulesets and found a lot of junk but
some OK-looking stuff which I tweaked slightly. A little bit of
knowledge is a dangerous thing...

Any devastatingly screwups in the following?

==============================================================================
Chain input (policy DENY):
target prot opt source destination ports
ACCEPT all ------ 127.0.0.1 127.0.0.1 n/a
TCP_IN tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
UDP_IN udp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
ICMP_IN icmp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY):
Chain output (policy ACCEPT):
target prot opt source destination ports
ACCEPT icmp ------ 0.0.0.0/0 0.0.0.0/0 3 -> *
ACCEPT icmp ------ 0.0.0.0/0 0.0.0.0/0 8 -> *
DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 * -> *
ACCEPT tcp ------ 217.11.171.36 0.0.0.0/0 80 -> 1023:65535
DENY tcp ----l- 0.0.0.0/0 0.0.0.0/0 0:1023 -> *
DENY udp ----l- 0.0.0.0/0 0.0.0.0/0 0:1023 -> *
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
Chain ICMP_IN (1 references):
target prot opt source destination ports
PRIVATE icmp ------ 0.0.0.0/0 0.0.0.0/0 0 -> *
PRIVATE icmp ------ 0.0.0.0/0 0.0.0.0/0 3:4 -> *
PRIVATE icmp ------ 0.0.0.0/0 0.0.0.0/0 11:12 -> *
DENY all ----l- 0.0.0.0/0 0.0.0.0/0 * -> *
Chain TCP_IN (1 references):
target prot opt source destination ports
ACCEPT tcp ------ 0.0.0.0/0 217.11.171.36 1023:65535 -> 80
DENY tcp ----l- 0.0.0.0/0 0.0.0.0/0 * -> 0:1023
DENY tcp ----l- 0.0.0.0/0 0.0.0.0/0 * -> 6000:6063
DENY tcp -y--l- 0.0.0.0/0 0.0.0.0/0 * -> *
PRIVATE all ------ 0.0.0.0/0 0.0.0.0/0 n/a
Chain UDP_IN (1 references):
target prot opt source destination ports
DENY udp ----l- 0.0.0.0/0 0.0.0.0/0 * -> 0:1023
DENY udp ----l- 0.0.0.0/0 0.0.0.0/0 * -> 6000:6063
PRIVATE all ------ 0.0.0.0/0 0.0.0.0/0 n/a
Chain PRIVATE (5 references):
target prot opt source destination ports
DENY all ----l- 10.0.0.0/8 0.0.0.0/0 n/a
DENY all ----l- 127.0.0.0/8 0.0.0.0/0 n/a
DENY all ----l- 169.254.0.0/16 0.0.0.0/0 n/a
DENY all ----l- 172.16.0.0/12 0.0.0.0/0 n/a
DENY all ----l- 192.168.0.0/16 0.0.0.0/0 n/a
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
==============================================================================

Comments much appreciated.

R
    .-. .-.
   / \ .-. .-. / \
  / \ / \ .-. _ .-. / \ / \
 / \ / \ / \ / \ / \ / \ / \
/ \ / \ / `-' `-' \ / \ / \
           \ / `-' `-' \ /
            `-' `-'

• Next message: ThosStew@aol.com: "Re: Aliterative, not alliterative"
• Previous message: boymeyersd@msn.com: "I could assist you! 21717"
• Next in thread: Jeff Barr: "RE: Firewalls, ipchains, help requested"
• Reply: Jeff Barr: "RE: Firewalls, ipchains, help requested"
• Reply: Dhiren Patel: "Re: Firewalls, ipchains, help requested"

This archive was generated by hypermail 2b29 : Fri May 18 2001 - 05:58:18 PDT