The -P flag sets the default policy that will be used if no other rule
is matched. A default poicy of deny or reject is a good idea as a
catchall rule in addition to a rule that basically does the same thing
but provides logging. I like it primarily because the syntax is so
simple even I can look at it and know that anything I don't explicitly
do something else with will be dropped. A lot of the scripts use a rule
similar to the ones given
ipchains -A input -s 0/0 -d 0/0 -j REJECT -l
ipchains -A output -s 0/0 -d 0/0 -j REJECT -l
inorder to log the rejection and get an idea of how often the rule (that
is actually synonymous with the policy) is used.
Anyway the primary difference is the -P vs the -A. P= default policy
and A= add rule.
Hope this helps,
Bret
Philippe Moutarlier wrote:
>
> I am a little confused with your explanation. I could experience the same as
> Wellington but the, when you start (as you should) with :
>
> > > ipchains -P input REJECT
> > > ipchains -P output REJECT
> > > ipchains -P forward REJECT
>
> Those rules match everything for the given chains (input, output and forward) don't
>they ? In that case, why is ipchains still going down to find other matching rules ?
>
> Thanks
>
> Philippe
>
> Bret Hughes <[EMAIL PROTECTED]> writes:
>
> > Wellington Terumi Uemura wrote:
> >
> > > Question 1:
> > > Here is my basic script:
> > > #!/bin/sh
> > > PATH=/sbin
> > >
> > > ipchains -P input ACCEPT
> > > ipchains -P output ACCEPT
> > > ipchains -P forward ACCEPT
> > > ipchains -F
> > > ipchains -P input REJECT
> > > ipchains -P output REJECT
> > > ipchains -P forward REJECT
> > > ipchains -A input -p tcp -s 192.168.0.0/24 -d 192.168.1.3 22 -j ACCEPT
> > > ipchains -A input -p tcp -s 192.168.0.0/24 -d 192.168.1.3 23 -j ACCEPT
> > > ipchains -A output -p tcp -s 192.168.1.3 22 -d 192.168.0.0/24 -j ACCEPT
> > > ipchains -A output -p tcp -s 192.168.1.3 23 -d 192.168.0.0/24 -j ACCEPT
> > > ipchains -A input -s 0/0 -d 0/0 -j REJECT -l
> > > ipchains -A output -s 0/0 -d 0/0 -j REJECT -l
> > >
> > > The last two lines that i want to know about,if i move then to the top of
> > > the script even if i open the telnet and ssh like i did,the ipchains dont
> > > accept connections for telnet and ssh,why???
> > > I use this last two lines for debug proposes and i know if i comment this
> > > lines out,everything bellow will work,but i dont understand the why!
> > >
> >
> > I believe IP chains cruises down the "chain" of rules until one matches.
> > then does what ever the target is. It can be another set of rules or
> > one of the special actions like REJECT. By putting these lines first the
> > packet matches the rule, and rejects the packet and stops. Order is
> > important since each rule is examined in the order they appear and if
> > matched no other action will be taken.
> >
> > >From the ipchains man page
> >
> > TARGETS
> > A firewall rule specifies criteria for a packet, and a
> > target. If the packet does not match, the next rule in
> > the chain is the examined; if it does match, then the next
> > rule is specified by the value of the target, which can be
> > the name of a user-defined chain, or one of the special
> > values ACCEPT, DENY, REJECT, MASQ, REDIRECT, or RETURN.
> >
> > In this case the 0/0 notation must mean all hosts. I am used to seeing
> > it as 0.0.0.0/0 but this is more concise. It threw me a little because
> > I have not messed with this stuff for a while and had to figure out the
> > host src and dest notation.
> >
> >
> > Hope this helps.
> >
> > Bret
> >
> > > Question 2
> > > Every body know about hackers doing party on internet servers they dont
> > > own,so,i have an idea and doesn't know if this it's possible.
> > > If we put a prog to check our systems ( servers ) like portsentry,iplogger
> > > or whatever and create a script or program to filter this logs,grab the
> > > attackers IP, and auto-generate ipchains rules against the intruder???
> > > I mean,to take over a server you need to scan it first,or do an search on
> > > open ports and then attack(DOS attacks and many others).For example,port
> > > scanners searchs are fast ( last than 1 sec for x ports ) but they come from
> > > the same source,taking base on this "magic program or script" will lock up
> > > IPs that change from one port to another in x secs and then generate an
> > > ipchains whatever -j REJECT.
> > > This is just a idea,and example,this kind a prog cam be made or allready
> > > exist?
> > >
> > > Thanks
> > > ______________________________________________________
> > > Get Your Private, Free Email at http://www.hotmail.com
> > >
> > > --
> > > To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> > > as the Subject.
> >
> >
> > --
> > To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> > as the Subject.
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
