Hello James, 1) Ok you got me on the EXTLAN (sorry) You can take it out
2) Yes, that means that someone will be able to connect to port 10000-10500 from the outside What does tail -f /var/log/messages give you when you try to connect ? Try ipchains -A output -j ACCEPT <-- Very bad I know but lets try Cheers, Pieter ----- Original Message ----- From: "James Pifer" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, January 02, 2002 6:33 PM Subject: RE: firewall-config tool > Pieter, > > Based on your message here's what I have. Problem is I still can't do > anything from the local machine. Can't www, ftp, ping, etc. Can you take a > quick look? > > Couple other questions: > -What is EXTLAN? Doesn't appear to be used anywhere. > > -If I wanted to open up some specific ports, like 10000-10500, would this > be correct? > -ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP > 10000:10500 -j ACCEPT > > -What about Virtual IPs? Let's say I have a virtual IP of 192.168.1.9. Just > add another set of rules for each? > > Thanks, > James > > > echo Loading IPChains > insmod ipchains > echo Settings Vars > > #NICs > ANY="any/0" > EXT="eth0" > LPB="lo" > > #IP Address > EXTIP="192.168.1.8" > > #IP Ranges > EXTLAN="192.168.1.0/24" > > PRIVPORTS="0:1023" > UNPRIVPORTS="1024:65535" > ALLPORTS="0:65535" > > echo Clearing Firewall Rules > ipchains -F > > echo Setting Default Rules - Deny All > ipchains -P input DENY > ipchains -P output DENY > ipchains -P forward DENY > > #echo Setting IP Kernel Options and Loading Modules - If you want to > #depmod -a > #modprobe ip_masq_ftp > #modprobe ip_masq_raudio > #modprobe ip_masq_quake 26000,27000,27910,27960 > #echo "1" > /proc/sys/net/ipv4/ip_always_defrag > #echo "1" > /proc/sys/net/ipv4/tcp_syncookies > #echo "1" > /proc/sys/net/ipv4/ip_forward > > echo Setting Loopback Rules - Allow All > ipchains -A input -i $LPB -j ACCEPT > ipchains -A output -i $LPB -j ACCEPT > > #Allow your machine to send data to *ANYWHERE* on *ANY* port > ipchains -A output -i $EXT -s $EXTIP -d $ANY -j ACCEPT > > #Allow incoming traffic > ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP 22 -j ACCEPT > ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP 80 -j ACCEPT > ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP 443 -j ACCEPT > > #If you want to see the traffic that makes it pass > #the Firewall (denied traffic) then uncomment these > #lines. > > #ipchains -A input -i $ANY -j DENY -l > #ipchains -A output -i $ANY -j DENY -l > > #use tail -f /var/log/messages to check the messages > #I would disable it because your logs might fill up quickly ! > > > At 05:42 PM 1/2/2002 +0200, you wrote: > >Hello James, > > > >Ok here goes and this is from the top of my head so please use > >"plug-and-prey" > > > >create a file called /etc/rc.d/rc.firewall > > > >Edit rc.local and below fi add > >/etc/rc.d/rc.firewall > > > >Edit rc.firewall and add the following lines > >--snip-- > >echo Loading IPChains > >insmod ipchains > >echo Settings Vars > > > >#NICs > >ANY="any/0" > >EXT="eth0" > >LPB="lo" > > > >#IP Address > >EXTIP="192.168.0.1" > > > >#IP Ranges > >EXTLAN="192.168.0.0/24" > > > >PRIVPORTS="0:1023" > >UNPRIVPORTS="1024:65535" > >ALLPORTS="0:65535" > > > >#Darn Rulz !!! - For some people grin > > > >echo Clearing Firewall Rulz > >ipchains -F > > > >echo Setting Default Rulz - Deny All > >ipchains -P input DENY > >ipchains -P output DENY > >ipchains -P forward DENY > > > >echo Setting IP Kernel Options and Loading Modules - If you want to > >depmod -a > >modprobe ip_masq_ftp > >modprobe ip_masq_raudio > >modprobe ip_masq_quake 26000,27000,27910,27960 > >echo "1" > /proc/sys/net/ipv4/ip_always_defrag > >echo "1" > /proc/sys/net/ipv4/tcp_syncookies > >echo "1" > /proc/sys/net/ipv4/ip_forward > > > >echo Setting Loopback Rulz - Allow All > >ipchains -A input -i $LPB -j ACCEPT > >ipchains -A output -i $LPB -j ACCEPT > > > >#Allow your machine to send data to *ANYWHERE* on *ANY* port > >ipchains -A output -i $EXT -s $EXTIP -d $ANY -j ACCEPT > > > >#Allow incoming traffic > >ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP 22 -j ACCEPT > >ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP 80 -j ACCEPT > >ipchains -A input -i $EXT -p tcp -S $ANY $UNPRIVPORTS -d $EXTIP 443 -j > >ACCEPT > > > >#If you want to see the traffic that makes it pass > >#the Firewall (denied traffic) then uncomment these > >#lines. > > > >#ipchains -A input -i $ANY -j DENY -l > >#ipchains -A output -i $ANY -j DENY -l > > > >#use tail -f /var/log/messages to check the messages > >#I would disable it because your logs might fill up quickly ! > >--snip-- > > > >to start the firewall once you on the box and havn't reboot type /etc/rc > >This should do what you want. Sorry I don't know the firewall-config-tool ! > > > >Cheers, > > > >Pieter De Wit > > > >-----Original Message----- > >From: James Pifer [mailto:[EMAIL PROTECTED]] > >Sent: Wednesday, January 02, 2002 2:51 PM > >To: [EMAIL PROTECTED] > >Subject: firewall-config tool > > > > > >Is anyone familar with the firewall-config tool that comes installed with > >7.2? I have a system that I need to put on the internet so obviously I need > >to lock it down. I only want the following incoming ports open: 22, 80, and > >443. When on the machine, either on the console or through an x-session, I > >want it to have no restrictions going out. I've shut all the services down > >that I could, but I'd still like to lock it down as an extra safety measure. > > > >It's not a firewall and has only one NIC. I'm trying to use the > >firewall-config tool to configure it, but it doesn't look right to me when > >I do ipchains -L. I'd be happy to send screen shots of the firewall-config > >settings directly to anyone if that will help. > > > >I'm also not sure what options I should use on the Options tab. > > > >Here's the ipchains -L output: > >[root]# ipchains -L > >Chain input (policy ACCEPT): > >target prot opt source destination ports > >icmp icmp ------ anywhere anywhere any -> > >any > >ACCEPT tcp ------ anywhere anywhere any -> > >any > >ACCEPT udp ------ anywhere anywhere any -> > >any > >ACCEPT tcp ------ anywhere anywhere ssh -> > >ssh > >ACCEPT udp ------ anywhere anywhere ssh -> > >ssh > >ACCEPT tcp ------ anywhere anywhere http > >-> http > >ACCEPT udp ------ anywhere anywhere http > >-> http > >ACCEPT tcp ------ anywhere anywhere https > >-> https > >ACCEPT udp ------ anywhere anywhere https > >-> https > >REJECT tcp ------ anywhere anywhere any -> > >any > >REJECT udp ------ anywhere anywhere any -> > >any > >Chain forward (policy DENY): > >Chain output (policy ACCEPT): > >Chain icmp (1 references): > >target prot opt source destination ports > >ACCEPT icmp > >------ anywhere anywhere destination-unreachable > >ACCEPT icmp > >------ anywhere anywhere source-quench > >ACCEPT icmp > >------ anywhere anywhere time-exceeded > >ACCEPT icmp > >------ anywhere anywhere parameter-problem > >ACCEPT icmp ------ anywhere anywhere > >echo-request > >ACCEPT icmp ------ anywhere anywhere > >echo-reply > >DENY all ------ anywhere anywhere n/a > >[root]# > > > >My first rule is that I allow 192.168.1.8(the current Ip address of the > >machine itself) to go anywhere. Eventually this will get changed to a real > >internet address. Instead of listing the ip address I entered, ipchains -L > >has "any" for the source. It looks wide open to me based on the second and > >third rule listed. > > > >Any help on this is greatly appreciated. > > > >James > > > > > > > > > > > >_______________________________________________ > >Redhat-list mailing list > >[EMAIL PROTECTED] > >https://listman.redhat.com/mailman/listinfo/redhat-list > > > > _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
