firewall attempt?

Chris Dowling Wed, 8 Mar 2000 11:48:45 -0800
Hi Folks

I recently decided to try my hand at firewalling my little 'ol linux box
from the big bad 'net. Would some kind person be able to give some kind of
apraisal for the following rules? Contructive critisism welcome :)

I do know that this is a little inefficient, I will be putting most things
into a custom chain, and I also don't do logging. the goal here is to just
aid in securing the box.

Thanks in advance
Chris.

-----------first attempt at ipchain rules!--------------------------------
#!/bin/sh

#
# deny all incoming traffic
# allow all traffic on eth interfaces
# allow all traffic on lo interfaceA
#
/sbin/ipchains -P input DENY
/sbin/ipchains -A input -i eth+ -j ACCEPT
/sbin/ipchains -A input -i lo+ -j ACCEPT

#
# SETTINGS FOR ppp+ interface
#

# allow all ESTABLISHED connections, ie: no more incoming connections
#  on interface ppp
/sbin/ipchains -A input -i ppp+ -p tcp ! -y -j ACCEPT

# allow incoming connection on port 20 (ftp data)
/sbin/ipchains -A input -i ppp+ -p tcp -y -d 0/0 20 -j ACCEPT

# allow incoming connection on port 21 (ftp)
/sbin/ipchains -A input -i ppp+ -p tcp -y -d 0/0 21 -j ACCEPT

# allow incoming connection on port 22 (ssh)
/sbin/ipchains -A input -i ppp+ -p tcp -y -d 0/0 22 -j ACCEPT

# allow incoming connection on port 53 (DNS stuff)
/sbin/ipchains -A input -i ppp+ -p tcp -y -d 0/0 53 -j ACCEPT

# allow fragmented packets
/sbin/ipchains -A input -i ppp+ -f -j ACCEPT

# allow upd from ports 53 (dns) and 4000 (icq)
/sbin/ipchains -A input -i ppp+ -p udp -s 0/0 53 -j ACCEPT
/sbin/ipchains -A input -i ppp+ -p udp -s 0/0 4000 -j ACCEPT

# allow udp traffic to ports 22 (ssh)
/sbin/ipchains -A input -i ppp+ -p udp -d 0/0 22 -j ACCEPT

# allow icmp traffic
/sbin/ipchains -A input -i ppp+ -p icmp -j ACCEPT

# to turn on spoof protection 
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter 
# before any network interfaces are initialised

#
# MASQUERADING crap
#

/sbin/insmod ip_masq_ftp
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i ppp0 -j MASQ
echo 1 > /proc/sys/net/ipv4/ip_forward

#
# shitty ftp!
#

/sbin/ipchains -A input -i ppp+ -p tcp -d 0/0 1025:5999 -j ACCEPT
/sbin/ipchains -A input -i ppp+ -p tcp -d 0/0 6020: -j ACCEPT




-- 
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
firewall attempt?

Reply via email to
