Michael Schwendt wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wed, 12 Mar 2003 00:09:31 +0800, [EMAIL PROTECTED] wrote: > > > > ipchains --policy input DENY > > > ipchains --policy output DENY > > > ## Allow outgoing traffic from your HTTP/DNS server. > > > ipchains -A output -i eth0 -p tcp --sport 80 -j ACCEPT > > > ipchains -A output -i eth0 -p tcp --sport 53 -j ACCEPT > > > ipchains -A output -i eth0 -p udp --sport 53 -j ACCEPT > > > ## Debugging rules. > > > ipchains -A input -s 0/0 -d 0/0 -l -j REJECT > > > ipchains -A output -s 0/0 -d 0/0 -l -j REJECT > > > > > > Note however, that your set of rules is incomplete, and you would > > > want to allow access to the loopback device, for instance. > > > > Okay...Now I want to allow users they can use the following port number ( > > services ) only : > > > > /sbin/ipchains -A input -i eth0 -p tcp --dport 20 -j ACCEPT > > - -snip- > > This is going to become a never-ending thread unless you are willing > to read some documentation. With ipchains -- and provided that you > intend to open ports explicitly -- each of your open ports needs a > pair of rules which matches the following pattern (replace 12345 and > add rules for udp where appropriate): > > ipchains -A input -i eth0 -p tcp --dport 12345 -j ACCEPT > ipchains -A output -i eth0 -p tcp --sport 12345 -j ACCEPT > > Forget about this if your output chain is open by default. Forget > about this if you don't know what "ipchains -A" does. Forget about > this if your input chain doesn't deny/reject any packets. > > > So, how can I add the rules ( you post to me in this mail ) ? > > The Red-Hat-way to install an ipchains based firewall is to do > the following (doesn't the guide from Red Hat cover this?): > > chkconfig iptables off > service iptables stop > <<remove any iptables kernel modules if necessary>> > chkconfig ipchains on > service ipchains stop > <<execute ipchains script or commands here, i.e. load rules>> > service ipchains save > service ipchains start > > The command "service ipchains save" stores the currently loaded > rules into /etc/sysconfig/ipchains where the service script would > access them upon reboot/start/restart. > > > Before a long time, I get the following info from the Internet : > > --- Begin of cut ---> > > Run a basic firewall > > > > Redhat comes with a firewall utility called ipchains which can filter and > > redirect packets for you. Add these rules to /etc/rc.d/rc.local to provide you > > I would not recommend using /etc/rc.d/rc.local since it may conflict > with "service ipchains" and because it is less comfortable to > maintain. > > > with basic security and logging. > > > > /sbin/ipchains -F > > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 53 -j DENY -l > > /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 69 -j DENY -l > > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 87 -j DENY -l > > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 111 -j DENY -l > > /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 111 -j DENY -l > > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 2049 -j DENY -l > > /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 2049 -j DENY -l > > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 512 -j DENY -l > > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 513 -j DENY -l > > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 514 -j DENY -l > > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 515 -j DENY -l > > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 540 -j DENY -l > > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 2000 -j DENY -l > > /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 2000 -j DENY -l > > /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 6000 -j DENY -l > > > > These rules block connections to certain services which cert says are bad > > and dangerous. If you are on a dialup, replace eth0 with ppp0. > > > > --- End of cut --> > > > > So, are these setting ( rule ) is suitable for ipchains' users ? > > It depends _extremely_ on your _complete set of rules_. The answers > to your question could fill a book. Using ipchains to close ports > explicitly is not a good idea because if you forget to close an open > port or start a service without updating the ipchains rules, the > running service is exposed to the world when your machine is > connected to the Internet. I would recommend closing everything by > default and punching holes into the firewall for every service you > want to let through.
So, is there any sample about "ipchains-rule" ? -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
