[OLUG] firewall margins

puzzled puzzled at home.com
Fri Mar 10 06:23:48 UTC 2000


   and none of that foolish 72 char wrap business either ... just edited the external interface
address, DNS addresses, and go - 'scuse me for not getting the first post correct.




/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
/sbin/ipchains -P input DENY
/sbin/ipchains -P output REJECT
/sbin/ipchains -P forward REJECT


# www set to fast. nothing is fast on a dial in connection :-)
#/sbin/ipchains -A output -i eth1 -p tcp -d 0/0 80 -t 0x01 0x10

# Allow outgoing packets - this works for web only
/sbin/ipchains -A output -i eth1 -p tcp -s 24.3.233.101  -d 0/0 80 -j ACCEPT
/sbin/ipchains -A output -i eth1 -p tcp -s 24.3.233.101  -d 0/0 443 -j ACCEPT

# Allow returning packets for web only
/sbin/ipchains -A input -i eth1 -p tcp  -s 0/0 80 -d 24.3.233.101 1024: -j ACCEPT
/sbin/ipchains -A input -i eth1 -p tcp  -s 0/0 443 -d 24.3.233.101 1024: -j ACCEPT

# DNS like I said *must* have TCP/53 as well as UDP/53 if we really want DNS to work
/sbin/ipchains -A output -i eth1 -p udp -s 24.3.233.101 -d 24.3.232.33 53    -j ACCEPT
/sbin/ipchains -A output -i eth1 -p tcp -s 24.3.233.101 -d 24.3.232.33 53    -j ACCEPT
/sbin/ipchains -A input  -i eth1 -p udp -s 24.3.232.33  -d 24.3.233.101 1024: -j ACCEPT
/sbin/ipchains -A input  -i eth1 -p tcp -s 24.3.232.33  -d 24.3.233.101 1024: -j ACCEPT

# ICMP isn't much use if its only allowed to return to you, eh?
/sbin/ipchains -A output -i eth1 -p icmp -s 24.3.233.101 -d 0/0 -j ACCEPT

# original ICMP rules
/sbin/ipchains -A input -i eth1 -p icmp -s 0/0 0 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p icmp -s 0/0 3 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p icmp -s 0/0 4 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p icmp -s 0/0 11 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p icmp -s 0/0 12 -j ACCEPT




-------------------------------------------------------------------------
Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/ 
To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net` 



More information about the OLUG mailing list