Pieter, Based on your message here's what I have. Problem is I still can't do anything from the local machine. Can't www, ftp, ping, etc. Can you take a quick look?
Couple other questions: -What is EXTLAN? Doesn't appear to be used anywhere. -If I wanted to open up some specific ports, like 10000-10500, would this be correct? -ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP 10000:10500 -j ACCEPT -What about Virtual IPs? Let's say I have a virtual IP of 192.168.1.9. Just add another set of rules for each? Thanks, James echo Loading IPChains insmod ipchains echo Settings Vars #NICs ANY="any/0" EXT="eth0" LPB="lo" #IP Address EXTIP="192.168.1.8" #IP Ranges EXTLAN="192.168.1.0/24" PRIVPORTS="0:1023" UNPRIVPORTS="1024:65535" ALLPORTS="0:65535" echo Clearing Firewall Rules ipchains -F echo Setting Default Rules - Deny All ipchains -P input DENY ipchains -P output DENY ipchains -P forward DENY #echo Setting IP Kernel Options and Loading Modules - If you want to #depmod -a #modprobe ip_masq_ftp #modprobe ip_masq_raudio #modprobe ip_masq_quake 26000,27000,27910,27960 #echo "1" > /proc/sys/net/ipv4/ip_always_defrag #echo "1" > /proc/sys/net/ipv4/tcp_syncookies #echo "1" > /proc/sys/net/ipv4/ip_forward echo Setting Loopback Rules - Allow All ipchains -A input -i $LPB -j ACCEPT ipchains -A output -i $LPB -j ACCEPT #Allow your machine to send data to *ANYWHERE* on *ANY* port ipchains -A output -i $EXT -s $EXTIP -d $ANY -j ACCEPT #Allow incoming traffic ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP 22 -j ACCEPT ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP 80 -j ACCEPT ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP 443 -j ACCEPT #If you want to see the traffic that makes it pass #the Firewall (denied traffic) then uncomment these #lines. #ipchains -A input -i $ANY -j DENY -l #ipchains -A output -i $ANY -j DENY -l #use tail -f /var/log/messages to check the messages #I would disable it because your logs might fill up quickly ! At 05:42 PM 1/2/2002 +0200, you wrote: >Hello James, > >Ok here goes and this is from the top of my head so please use >"plug-and-prey" > >create a file called /etc/rc.d/rc.firewall > >Edit rc.local and below fi add >/etc/rc.d/rc.firewall > >Edit rc.firewall and add the following lines >--snip-- >echo Loading IPChains >insmod ipchains >echo Settings Vars > >#NICs >ANY="any/0" >EXT="eth0" >LPB="lo" > >#IP Address >EXTIP="192.168.0.1" > >#IP Ranges >EXTLAN="192.168.0.0/24" > >PRIVPORTS="0:1023" >UNPRIVPORTS="1024:65535" >ALLPORTS="0:65535" > >#Darn Rulz !!! - For some people grin > >echo Clearing Firewall Rulz >ipchains -F > >echo Setting Default Rulz - Deny All >ipchains -P input DENY >ipchains -P output DENY >ipchains -P forward DENY > >echo Setting IP Kernel Options and Loading Modules - If you want to >depmod -a >modprobe ip_masq_ftp >modprobe ip_masq_raudio >modprobe ip_masq_quake 26000,27000,27910,27960 >echo "1" > /proc/sys/net/ipv4/ip_always_defrag >echo "1" > /proc/sys/net/ipv4/tcp_syncookies >echo "1" > /proc/sys/net/ipv4/ip_forward > >echo Setting Loopback Rulz - Allow All >ipchains -A input -i $LPB -j ACCEPT >ipchains -A output -i $LPB -j ACCEPT > >#Allow your machine to send data to *ANYWHERE* on *ANY* port >ipchains -A output -i $EXT -s $EXTIP -d $ANY -j ACCEPT > >#Allow incoming traffic >ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP 22 -j ACCEPT >ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP 80 -j ACCEPT >ipchains -A input -i $EXT -p tcp -S $ANY $UNPRIVPORTS -d $EXTIP 443 -j >ACCEPT > >#If you want to see the traffic that makes it pass >#the Firewall (denied traffic) then uncomment these >#lines. > >#ipchains -A input -i $ANY -j DENY -l >#ipchains -A output -i $ANY -j DENY -l > >#use tail -f /var/log/messages to check the messages >#I would disable it because your logs might fill up quickly ! >--snip-- > >to start the firewall once you on the box and havn't reboot type /etc/rc >This should do what you want. Sorry I don't know the firewall-config-tool ! > >Cheers, > >Pieter De Wit > >-----Original Message----- >From: James Pifer [mailto:[EMAIL PROTECTED]] >Sent: Wednesday, January 02, 2002 2:51 PM >To: [EMAIL PROTECTED] >Subject: firewall-config tool > > >Is anyone familar with the firewall-config tool that comes installed with >7.2? I have a system that I need to put on the internet so obviously I need >to lock it down. I only want the following incoming ports open: 22, 80, and >443. When on the machine, either on the console or through an x-session, I >want it to have no restrictions going out. I've shut all the services down >that I could, but I'd still like to lock it down as an extra safety measure. > >It's not a firewall and has only one NIC. I'm trying to use the >firewall-config tool to configure it, but it doesn't look right to me when >I do ipchains -L. I'd be happy to send screen shots of the firewall-config >settings directly to anyone if that will help. > >I'm also not sure what options I should use on the Options tab. > >Here's the ipchains -L output: >[root]# ipchains -L >Chain input (policy ACCEPT): >target prot opt source destination ports >icmp icmp ------ anywhere anywhere any -> >any >ACCEPT tcp ------ anywhere anywhere any -> >any >ACCEPT udp ------ anywhere anywhere any -> >any >ACCEPT tcp ------ anywhere anywhere ssh -> >ssh >ACCEPT udp ------ anywhere anywhere ssh -> >ssh >ACCEPT tcp ------ anywhere anywhere http >-> http >ACCEPT udp ------ anywhere anywhere http >-> http >ACCEPT tcp ------ anywhere anywhere https >-> https >ACCEPT udp ------ anywhere anywhere https >-> https >REJECT tcp ------ anywhere anywhere any -> >any >REJECT udp ------ anywhere anywhere any -> >any >Chain forward (policy DENY): >Chain output (policy ACCEPT): >Chain icmp (1 references): >target prot opt source destination ports >ACCEPT icmp >------ anywhere anywhere destination-unreachable >ACCEPT icmp >------ anywhere anywhere source-quench >ACCEPT icmp >------ anywhere anywhere time-exceeded >ACCEPT icmp >------ anywhere anywhere parameter-problem >ACCEPT icmp ------ anywhere anywhere >echo-request >ACCEPT icmp ------ anywhere anywhere >echo-reply >DENY all ------ anywhere anywhere n/a >[root]# > >My first rule is that I allow 192.168.1.8(the current Ip address of the >machine itself) to go anywhere. Eventually this will get changed to a real >internet address. Instead of listing the ip address I entered, ipchains -L >has "any" for the source. It looks wide open to me based on the second and >third rule listed. > >Any help on this is greatly appreciated. > >James > > > > > >_______________________________________________ >Redhat-list mailing list >[EMAIL PROTECTED] >https://listman.redhat.com/mailman/listinfo/redhat-list _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
