I didn't get anything, but I'm not sure that I did it correctly. I opened a Terminal window and ran tail -f /var/log/messages.
I then ran a Conqueror and tried to hit a web site. Couldn't connect in the browser and the log didn't show anything. I also tried "ipchains -A output -j ACCEPT" and it still didn't work. After doing that here's what ipchains -L looks like: Chain input (policy DENY): target prot opt source destination ports ACCEPT all ------ anywhere anywhere n/a ACCEPT tcp ------ anywhere 192.168.1.8 1024:65535 -> ssh ACCEPT tcp ------ anywhere 192.168.1.8 1024:65535 -> http ACCEPT tcp ------ anywhere 192.168.1.8 1024:65535 -> https Chain forward (policy DENY): Chain output (policy DENY): target prot opt source destination ports ACCEPT all ------ anywhere anywhere n/a ACCEPT all ------ anywhere anywhere n/a Chain icmp (0 references): Thanks, James At 06:38 PM 1/2/2002 +0200, you wrote: >Hello James, > >1) Ok you got me on the EXTLAN (sorry) You can take it out > >2) Yes, that means that someone will be able to connect to port 10000-10500 >from the outside > >What does tail -f /var/log/messages give you when you try to connect ? > >Try ipchains -A output -j ACCEPT <-- Very bad I know but lets try > >Cheers, > >Pieter > >----- Original Message ----- >From: "James Pifer" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Wednesday, January 02, 2002 6:33 PM >Subject: RE: firewall-config tool > > > > Pieter, > > > > Based on your message here's what I have. Problem is I still can't do > > anything from the local machine. Can't www, ftp, ping, etc. Can you take >a > > quick look? > > > > Couple other questions: > > -What is EXTLAN? Doesn't appear to be used anywhere. > > > > -If I wanted to open up some specific ports, like 10000-10500, would this > > be correct? > > -ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP > > 10000:10500 -j ACCEPT > > > > -What about Virtual IPs? Let's say I have a virtual IP of 192.168.1.9. >Just > > add another set of rules for each? > > > > Thanks, > > James > > > > > > echo Loading IPChains > > insmod ipchains > > echo Settings Vars > > > > #NICs > > ANY="any/0" > > EXT="eth0" > > LPB="lo" > > > > #IP Address > > EXTIP="192.168.1.8" > > > > #IP Ranges > > EXTLAN="192.168.1.0/24" > > > > PRIVPORTS="0:1023" > > UNPRIVPORTS="1024:65535" > > ALLPORTS="0:65535" > > > > echo Clearing Firewall Rules > > ipchains -F > > > > echo Setting Default Rules - Deny All > > ipchains -P input DENY > > ipchains -P output DENY > > ipchains -P forward DENY > > > > #echo Setting IP Kernel Options and Loading Modules - If you want to > > #depmod -a > > #modprobe ip_masq_ftp > > #modprobe ip_masq_raudio > > #modprobe ip_masq_quake 26000,27000,27910,27960 > > #echo "1" > /proc/sys/net/ipv4/ip_always_defrag > > #echo "1" > /proc/sys/net/ipv4/tcp_syncookies > > #echo "1" > /proc/sys/net/ipv4/ip_forward > > > > echo Setting Loopback Rules - Allow All > > ipchains -A input -i $LPB -j ACCEPT > > ipchains -A output -i $LPB -j ACCEPT > > > > #Allow your machine to send data to *ANYWHERE* on *ANY* port > > ipchains -A output -i $EXT -s $EXTIP -d $ANY -j ACCEPT > > > > #Allow incoming traffic > > ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP 22 -j >ACCEPT > > ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP 80 -j >ACCEPT > > ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP 443 -j >ACCEPT > > > > #If you want to see the traffic that makes it pass > > #the Firewall (denied traffic) then uncomment these > > #lines. > > > > #ipchains -A input -i $ANY -j DENY -l > > #ipchains -A output -i $ANY -j DENY -l > > > > #use tail -f /var/log/messages to check the messages > > #I would disable it because your logs might fill up quickly ! > > > > > > At 05:42 PM 1/2/2002 +0200, you wrote: > > >Hello James, > > > > > >Ok here goes and this is from the top of my head so please use > > >"plug-and-prey" > > > > > >create a file called /etc/rc.d/rc.firewall > > > > > >Edit rc.local and below fi add > > >/etc/rc.d/rc.firewall > > > > > >Edit rc.firewall and add the following lines > > >--snip-- > > >echo Loading IPChains > > >insmod ipchains > > >echo Settings Vars > > > > > >#NICs > > >ANY="any/0" > > >EXT="eth0" > > >LPB="lo" > > > > > >#IP Address > > >EXTIP="192.168.0.1" > > > > > >#IP Ranges > > >EXTLAN="192.168.0.0/24" > > > > > >PRIVPORTS="0:1023" > > >UNPRIVPORTS="1024:65535" > > >ALLPORTS="0:65535" > > > > > >#Darn Rulz !!! - For some people grin > > > > > >echo Clearing Firewall Rulz > > >ipchains -F > > > > > >echo Setting Default Rulz - Deny All > > >ipchains -P input DENY > > >ipchains -P output DENY > > >ipchains -P forward DENY > > > > > >echo Setting IP Kernel Options and Loading Modules - If you want to > > >depmod -a > > >modprobe ip_masq_ftp > > >modprobe ip_masq_raudio > > >modprobe ip_masq_quake 26000,27000,27910,27960 > > >echo "1" > /proc/sys/net/ipv4/ip_always_defrag > > >echo "1" > /proc/sys/net/ipv4/tcp_syncookies > > >echo "1" > /proc/sys/net/ipv4/ip_forward > > > > > >echo Setting Loopback Rulz - Allow All > > >ipchains -A input -i $LPB -j ACCEPT > > >ipchains -A output -i $LPB -j ACCEPT > > > > > >#Allow your machine to send data to *ANYWHERE* on *ANY* port > > >ipchains -A output -i $EXT -s $EXTIP -d $ANY -j ACCEPT > > > > > >#Allow incoming traffic > > >ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP 22 -j >ACCEPT > > >ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP 80 -j >ACCEPT > > >ipchains -A input -i $EXT -p tcp -S $ANY $UNPRIVPORTS -d $EXTIP 443 -j > > >ACCEPT > > > > > >#If you want to see the traffic that makes it pass > > >#the Firewall (denied traffic) then uncomment these > > >#lines. > > > > > >#ipchains -A input -i $ANY -j DENY -l > > >#ipchains -A output -i $ANY -j DENY -l > > > > > >#use tail -f /var/log/messages to check the messages > > >#I would disable it because your logs might fill up quickly ! > > >--snip-- > > > > > >to start the firewall once you on the box and havn't reboot type /etc/rc > > >This should do what you want. Sorry I don't know the firewall-config-tool >! > > > > > >Cheers, > > > > > >Pieter De Wit > > > > > >-----Original Message----- > > >From: James Pifer [mailto:[EMAIL PROTECTED]] > > >Sent: Wednesday, January 02, 2002 2:51 PM > > >To: [EMAIL PROTECTED] > > >Subject: firewall-config tool > > > > > > > > >Is anyone familar with the firewall-config tool that comes installed with > > >7.2? I have a system that I need to put on the internet so obviously I >need > > >to lock it down. I only want the following incoming ports open: 22, 80, >and > > >443. When on the machine, either on the console or through an x-session, >I > > >want it to have no restrictions going out. I've shut all the services >down > > >that I could, but I'd still like to lock it down as an extra safety >measure. > > > > > >It's not a firewall and has only one NIC. I'm trying to use the > > >firewall-config tool to configure it, but it doesn't look right to me >when > > >I do ipchains -L. I'd be happy to send screen shots of the >firewall-config > > >settings directly to anyone if that will help. > > > > > >I'm also not sure what options I should use on the Options tab. > > > > > >Here's the ipchains -L output: > > >[root]# ipchains -L > > >Chain input (policy ACCEPT): > > >target prot opt source destination ports > > >icmp icmp ------ anywhere anywhere any -> > > >any > > >ACCEPT tcp ------ anywhere anywhere any -> > > >any > > >ACCEPT udp ------ anywhere anywhere any -> > > >any > > >ACCEPT tcp ------ anywhere anywhere ssh -> > > >ssh > > >ACCEPT udp ------ anywhere anywhere ssh -> > > >ssh > > >ACCEPT tcp ------ anywhere anywhere http > > >-> http > > >ACCEPT udp ------ anywhere anywhere http > > >-> http > > >ACCEPT tcp ------ anywhere anywhere https > > >-> https > > >ACCEPT udp ------ anywhere anywhere https > > >-> https > > >REJECT tcp ------ anywhere anywhere any -> > > >any > > >REJECT udp ------ anywhere anywhere any -> > > >any > > >Chain forward (policy DENY): > > >Chain output (policy ACCEPT): > > >Chain icmp (1 references): > > >target prot opt source destination ports > > >ACCEPT icmp > > >------ anywhere anywhere >destination-unreachable > > >ACCEPT icmp > > >------ anywhere anywhere source-quench > > >ACCEPT icmp > > >------ anywhere anywhere time-exceeded > > >ACCEPT icmp > > >------ anywhere anywhere parameter-problem > > >ACCEPT icmp ------ anywhere anywhere > > >echo-request > > >ACCEPT icmp ------ anywhere anywhere > > >echo-reply > > >DENY all ------ anywhere anywhere n/a > > >[root]# > > > > > >My first rule is that I allow 192.168.1.8(the current Ip address of the > > >machine itself) to go anywhere. Eventually this will get changed to a >real > > >internet address. Instead of listing the ip address I entered, >ipchains -L > > >has "any" for the source. It looks wide open to me based on the second >and > > >third rule listed. > > > > > >Any help on this is greatly appreciated. > > > > > >James > > > > > > > > > > > > > > > > > >_______________________________________________ > > >Redhat-list mailing list > > >[EMAIL PROTECTED] > > >https://listman.redhat.com/mailman/listinfo/redhat-list > > > > > > > > > > > >_______________________________________________ >Redhat-list mailing list >[EMAIL PROTECTED] >https://listman.redhat.com/mailman/listinfo/redhat-list _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
