From: Dhiren Patel (dlists@dhiren.com)
Date: Fri May 18 2001 - 12:53:05 PDT
Are you actually able to telnet out of this box? The rules don't seem to let any
traffic out of the local box.
Dhiren
Robert Harley wrote:
> Are any FoRKers intimate with the details of ipchains?
>
> I've got RedHat 7.1 with all updates on an IBM xSeries 220 connected
> via PPPoE over an ADSL network terminator (Alcatel Speed Touch Home).
>
> I want to do normal stuff like web surfing, telnet outwards... and
> serve Web pages with Apache at: http://217.11.171.36/
>
> How to keep the huns out?
>
> I browsed around for ipchains rulesets and found a lot of junk but
> some OK-looking stuff which I tweaked slightly. A little bit of
> knowledge is a dangerous thing...
>
> Any devastatingly screwups in the following?
>
> ==============================================================================
> Chain input (policy DENY):
> target prot opt source destination ports
> ACCEPT all ------ 127.0.0.1 127.0.0.1 n/a
> TCP_IN tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
> UDP_IN udp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
> ICMP_IN icmp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
> DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
> Chain forward (policy DENY):
> Chain output (policy ACCEPT):
> target prot opt source destination ports
> ACCEPT icmp ------ 0.0.0.0/0 0.0.0.0/0 3 -> *
> ACCEPT icmp ------ 0.0.0.0/0 0.0.0.0/0 8 -> *
> DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 * -> *
> ACCEPT tcp ------ 217.11.171.36 0.0.0.0/0 80 -> 1023:65535
> DENY tcp ----l- 0.0.0.0/0 0.0.0.0/0 0:1023 -> *
> DENY udp ----l- 0.0.0.0/0 0.0.0.0/0 0:1023 -> *
> ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
> Chain ICMP_IN (1 references):
> target prot opt source destination ports
> PRIVATE icmp ------ 0.0.0.0/0 0.0.0.0/0 0 -> *
> PRIVATE icmp ------ 0.0.0.0/0 0.0.0.0/0 3:4 -> *
> PRIVATE icmp ------ 0.0.0.0/0 0.0.0.0/0 11:12 -> *
> DENY all ----l- 0.0.0.0/0 0.0.0.0/0 * -> *
> Chain TCP_IN (1 references):
> target prot opt source destination ports
> ACCEPT tcp ------ 0.0.0.0/0 217.11.171.36 1023:65535 -> 80
> DENY tcp ----l- 0.0.0.0/0 0.0.0.0/0 * -> 0:1023
> DENY tcp ----l- 0.0.0.0/0 0.0.0.0/0 * -> 6000:6063
> DENY tcp -y--l- 0.0.0.0/0 0.0.0.0/0 * -> *
> PRIVATE all ------ 0.0.0.0/0 0.0.0.0/0 n/a
> Chain UDP_IN (1 references):
> target prot opt source destination ports
> DENY udp ----l- 0.0.0.0/0 0.0.0.0/0 * -> 0:1023
> DENY udp ----l- 0.0.0.0/0 0.0.0.0/0 * -> 6000:6063
> PRIVATE all ------ 0.0.0.0/0 0.0.0.0/0 n/a
> Chain PRIVATE (5 references):
> target prot opt source destination ports
> DENY all ----l- 10.0.0.0/8 0.0.0.0/0 n/a
> DENY all ----l- 127.0.0.0/8 0.0.0.0/0 n/a
> DENY all ----l- 169.254.0.0/16 0.0.0.0/0 n/a
> DENY all ----l- 172.16.0.0/12 0.0.0.0/0 n/a
> DENY all ----l- 192.168.0.0/16 0.0.0.0/0 n/a
> ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
> ==============================================================================
>
> Comments much appreciated.
>
> R
> .-. .-.
> / \ .-. .-. / \
> / \ / \ .-. _ .-. / \ / \
> / \ / \ / \ / \ / \ / \ / \
> / \ / \ / `-' `-' \ / \ / \
> \ / `-' `-' \ /
> `-' `-'
-- Dhiren Patel -- Sr. Web Architect -- Align Technology, Inc.
This archive was generated by hypermail 2b29 : Fri May 18 2001 - 13:02:44 PDT