When I'm _not_ connected to the internet via ppp0, I can type
ipchains -L
and ipchains responds immediately. After I connect (ifup ppp0), there are long
delays in ipchains' output. However, if I use
ipchains -nL
the delays are gone. This occurs even if I use a ruleset that allows
everything and simply enables forwarding (IPMASQ).
Any ideas? Even making the modifications you gave, ipchains slows the network
down...I think that whatever is causing the delays in the ipchains output is
causing the slow network connections.
I've included my newly modified script for your perusal.
Thanks,
Ben
#!/bin/bash
#
# This script is to be used with the 2.2 Kernel and IPCHAINS and will not
# work on the older Kernels (2.0.x) or the new 2.3/2.4 series.
#
# Be warned, this is a very restrictive set of firewall rules (and they
# should be, for proper security). Anything that you do not _specifically_
# allow is logged and dropped into /dev/null, so if you're wondering why
# something isn't working, check /var/log/messages.
#
# This is about as close as you get to a 'secure' firewall. It's nasty,
# it's harsh, and it will make your machine nearly invisible to the rest
# of the internet world. Have fun.
#
# To run this script you must 'chmod 700 ipchains-script' and then execute
# it. To stop it from running, run 'ipchains -F'
#
# If you have a ppp connection, a neat thing to do is to add the path of
# the script to your /etc/ppp/ip-up file so that everytime you connect, it
# will automatically run the script.
#
# If you have dsl/cable you can have this script start up at boot time by
# placing it in your startup files located in /etc/rc.d/rc.local for
# Red Hat Linux and /etc/init.d/rcS for Debian GNU/Linux
#
# Please feel free to email us with questions/problems that you might have
# when using this guide.
#
# Davion <[EMAIL PROTECTED]>
# lyte <[EMAIL PROTECTED]>
#Point this to your copy of ip_tables
IPC="/sbin/ipchains"
#Flush old rules, delete the firewall chain if it exists
$IPC -F
$IPC -F firewall
$IPC -X firewall
$IPC -P input DENY
#Set up the firewall chain
$IPC -N firewall
$IPC -A firewall -j DENY
#Accept ourselves
$IPC -A input -i lo -j ACCEPT
$IPC -A input -s 127.0.0.0/8 -b -j firewall
# $IPC -A input -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#Setup Masquerading. Change the IP to your internal network and uncomment
#this in order to enable it.
$IPC -P forward ACCEPT
$IPC -A forward -s 192.168.1.0/24 -j MASQ
echo 1 > /proc/sys/net/ipv4/ip_forward
#Accept DNS, 'cause it's warm and friendly
$IPC -A input -p udp --source-port 53 -j ACCEPT
$IPC -A input -p tcp --source-port 113 -j ACCEPT
$IPC -A input -p tcp --destination-port 113 -j ACCEPT
#Allow ftp to send data back and forth.
$IPC -A input -p tcp --source-port 20 --destination-port 1024:65535 -j ACCEPT
#Accept SSH. Duh.
#$IPC -A input -p tcp --destination-port 22 -j ACCEPT
#Accept mail, uncomment this if you run a mail server.
#$IPC -A input -p tcp --destination-port 25 -j ACCEPT
#Accept HTTPd Requests, uncomment this if you run a web server.
#$IPC -A input -p tcp --destination-port 80 -j ACCEPT
#Send everything else ot the firewall.
$IPC -A input -p icmp --source-port 0 --destination-port 0 -j ACCEPT
$IPC -A input -i ppp0 -p icmp -j firewall
$IPC -A input -i ppp0 -p tcp --destination-port ! 1024:65535 -j firewall
$IPC -A input -i ppp0 -p udp --destination-port ! 1024:65535 -j firewall
$IPC -A input -i eth0 -s 192.168.1.0/24 -d 0.0.0.0/0 -j ACCEPT
$IPC -A input -p tcp --syn -j firewall
$IPC -A input -p udp -j ACCEPT
$IPC -A input -i eth0 -p icmp -j ACCEPT
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
