Greetings,
I've included my IPCHAINS ruleset. I have a two computer LAN with 192.168.1.40
running IP MASQ for 192.168.1.41. The IPCHAINS ruleset allows the MASQed
computer (192.168.1.41) to use my ppp connection just fine, but causes
increasingly slow pings. That is, if I ping someplace (say my ISP) from either
of the two computers, the number of milliseconds it takes increases with each
ping. It'll start at a reasonable time--maybe 150ms--and steadily
increases...I've let it get as high as 13,000ms!
If I flush the ruleset, it pings fine.
I'd like the ruleset to make all my ports undetectable "stealth", except I need
ICQ to work and I've got qmail set up, so I need it to accept local connections
to port 25.
If anyone can tell me how to rewrite the script so that it'll work, I'd greatly
appreciate it.
Ben Logan
----Begin script------
#!/bin/bash
#
# This script is to be used with the 2.2 Kernel and IPCHAINS and will not
# work on the older Kernels (2.0.x) or the new 2.3/2.4 series.
#
# Be warned, this is a very restrictive set of firewall rules (and they
# should be, for proper security). Anything that you do not _specifically_
# allow is logged and dropped into /dev/null, so if you're wondering why
# something isn't working, check /var/log/messages.
#
# This is about as close as you get to a 'secure' firewall. It's nasty,
# it's harsh, and it will make your machine nearly invisible to the rest
# of the internet world. Have fun.
#
# To run this script you must 'chmod 700 ipchains-script' and then execute
# it. To stop it from running, run 'ipchains -F'
#
# If you have a ppp connection, a neat thing to do is to add the path of
# the script to your /etc/ppp/ip-up file so that everytime you connect, it
# will automatically run the script.
#
# If you have dsl/cable you can have this script start up at boot time by
# placing it in your startup files located in /etc/rc.d/rc.local for
# Red Hat Linux and /etc/init.d/rcS for Debian GNU/Linux
#
# Please feel free to email us with questions/problems that you might have
# when using this guide.
#
# Davion <[EMAIL PROTECTED]>
# lyte <[EMAIL PROTECTED]>
#Point this to your copy of ip_tables
IPC="/sbin/ipchains"
#Flush old rules, delete the firewall chain if it exists
$IPC -F
$IPC -F firewall
$IPC -X firewall
#Set up the firewall chain
$IPC -N firewall
$IPC -A firewall -j DENY
#Accept ourselves
$IPC -A input -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#Setup Masquerading. Change the IP to your internal network and uncomment
#this in order to enable it.
$IPC -P forward ACCEPT
$IPC -A forward -s 192.168.1.0/24 -j MASQ
echo 1 > /proc/sys/net/ipv4/ip_forward
#Accept DNS, 'cause it's warm and friendly
$IPC -A input -p udp --source-port 53 -j ACCEPT
$IPC -A input -p tcp --source-port 113 -j ACCEPT
$IPC -A input -p tcp --destination-port 113 -j ACCEPT
#Allow ftp to send data back and forth.
$IPC -A input -p tcp --source-port 20 --destination-port 1024:65535 -j ACCEPT
#Accept SSH. Duh.
#$IPC -A input -p tcp --destination-port 22 -j ACCEPT
#Accept mail, uncomment this if you run a mail server.
#$IPC -A input -p tcp --destination-port 25 -j ACCEPT
#Accept HTTPd Requests, uncomment this if you run a web server.
#$IPC -A input -p tcp --destination-port 80 -j ACCEPT
#Send everything else ot the firewall.
#$IPC -A input -p icmp -j firewall
$IPC -A input -i eth0 -s 192.168.1.0/24 -d 0.0.0.0/0 -j ACCEPT
$IPC -A input -p tcp --syn -j firewall
$IPC -A input -p udp -j ACCEPT
----End script------
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list