-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 12 Mar 2003 00:09:31 +0800, [EMAIL PROTECTED] wrote:
> > ipchains --policy input DENY > > ipchains --policy output DENY > > ## Allow outgoing traffic from your HTTP/DNS server. > > ipchains -A output -i eth0 -p tcp --sport 80 -j ACCEPT > > ipchains -A output -i eth0 -p tcp --sport 53 -j ACCEPT > > ipchains -A output -i eth0 -p udp --sport 53 -j ACCEPT > > ## Debugging rules. > > ipchains -A input -s 0/0 -d 0/0 -l -j REJECT > > ipchains -A output -s 0/0 -d 0/0 -l -j REJECT > > > > Note however, that your set of rules is incomplete, and you would > > want to allow access to the loopback device, for instance. > > Okay...Now I want to allow users they can use the following port number ( > services ) only : > > /sbin/ipchains -A input -i eth0 -p tcp --dport 20 -j ACCEPT - -snip- This is going to become a never-ending thread unless you are willing to read some documentation. With ipchains -- and provided that you intend to open ports explicitly -- each of your open ports needs a pair of rules which matches the following pattern (replace 12345 and add rules for udp where appropriate): ipchains -A input -i eth0 -p tcp --dport 12345 -j ACCEPT ipchains -A output -i eth0 -p tcp --sport 12345 -j ACCEPT Forget about this if your output chain is open by default. Forget about this if you don't know what "ipchains -A" does. Forget about this if your input chain doesn't deny/reject any packets. > So, how can I add the rules ( you post to me in this mail ) ? The Red-Hat-way to install an ipchains based firewall is to do the following (doesn't the guide from Red Hat cover this?): chkconfig iptables off service iptables stop <<remove any iptables kernel modules if necessary>> chkconfig ipchains on service ipchains stop <<execute ipchains script or commands here, i.e. load rules>> service ipchains save service ipchains start The command "service ipchains save" stores the currently loaded rules into /etc/sysconfig/ipchains where the service script would access them upon reboot/start/restart. > Before a long time, I get the following info from the Internet : > --- Begin of cut ---> > Run a basic firewall > > Redhat comes with a firewall utility called ipchains which can filter and > redirect packets for you. Add these rules to /etc/rc.d/rc.local to provide you I would not recommend using /etc/rc.d/rc.local since it may conflict with "service ipchains" and because it is less comfortable to maintain. > with basic security and logging. > > /sbin/ipchains -F > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 53 -j DENY -l > /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 69 -j DENY -l > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 87 -j DENY -l > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 111 -j DENY -l > /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 111 -j DENY -l > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 2049 -j DENY -l > /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 2049 -j DENY -l > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 512 -j DENY -l > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 513 -j DENY -l > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 514 -j DENY -l > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 515 -j DENY -l > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 540 -j DENY -l > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 2000 -j DENY -l > /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 2000 -j DENY -l > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 6000 -j DENY -l > > These rules block connections to certain services which cert says are bad > and dangerous. If you are on a dialup, replace eth0 with ppp0. > > --- End of cut --> > > So, are these setting ( rule ) is suitable for ipchains' users ? It depends _extremely_ on your _complete set of rules_. The answers to your question could fill a book. Using ipchains to close ports explicitly is not a good idea because if you forget to close an open port or start a service without updating the ipchains rules, the running service is exposed to the world when your machine is connected to the Internet. I would recommend closing everything by default and punching holes into the firewall for every service you want to let through. - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+blXn0iMVcrivHFQRAtgIAJ0RH3RAYcHaPfmLYZuC2DbsVXUA/wCfcllR 9y9kmHoj2+v3KF7Cso+FxoE= =ZNTc -----END PGP SIGNATURE----- -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
