[OLUG] [ot] ipchains and internet

ktb xyf at inetnebr.com
Fri Mar 10 02:43:45 UTC 2000 

----- Original Message -----
From: puzzled <puzzled at home.com>
To: <olug at bstc.net>
Sent: Thursday, March 09, 2000 8:31 AM
Subject: Re: [OLUG] [ot] ipchains and internet


>
>   go to www.freshmeat.net and search for pmfirewall. Install this package
and
> examine what it does ... its the best route I know to a solid firewall
ruleset.

I installed pmfirewall already, thought I could get an understanding but I
kept getting 'Chain name doesn't exist' (or something like that) errors.  I
would like to learn how to write chains anyway so I got rid of the program.

> Understand that the odds of you experiencing any trouble with a dial in
> connection are slightly less than zero. I am a channel operator for #hack
on
> undernet and I backhand script kiddies on a regular basis with kick/ban
and
> some times I'm in the mood for testing whats on packetstorm and they make
good
> guinea pigs - I pretty much court disaster from the same static IP on a
regular
> basis and I've only had serious trouble once or twice and then it only
comes
> from the other @s on the channel.

Ok, I'm just interested and want to learn more about Internet security and
at some point I would like to have my own server on the net.  I'm not
paranoid yet:)

<snip>

I've been messing with the chains still to no avail.  If I set 'input,
output and forward'  to ACCEPT I can log into the Internet and view web
pages through Squid on another machine just fine.  But when I set everything
to DENY and REJECT and then set up rules to access the Internet I can't.  I
can log onto the Internet but I can't ping my isp or view the web with Lynx
from my firewall even though I am online.  What am I missing?  I set
everything up as you suggested in the last message and I can't ping or
anything.  I've also seen another set of rules online that I tried to follow
and still can't ping or use lynx.  The new script is below.  I have also
tried substituting port 80 with "www" and port 443 with "https"
Thanks,
kent

----------------------------------------------------------------------------
---
ipchains -F input
ipchains -F output
ipchains -F forward

ipchains -P input   DENY
ipchains -P output  REJECT
ipchains -P forward REJECT

# www set to fast
ipchains -A output -i ppp0 -p tcp -d 0/0 80 -t 0x01 0x10

# Allow outgoing packets
ipchains -A output -i ppp0 -p tcp -s 192.168.10.1 1024: -d 0/0 80 -j ACCEPT
ipchains -A output -i ppp0 -p tcp -s 192.168.10.1 1024: -d 0/0 443 -j ACCEPT

# Allow returning packets
ipchains -A input -i ppp0 -p tcp ! -y -s 0/0 80 -d 192.168.10.1 1024: -j
ACCEPT
ipchains -A input -i ppp0 -p tcp ! -y -s 0/0 443 -d 192.168.10.1 1024: -j
ACCEPT

ipchains -A output -i ppp0 -p tcp -s 192.168.10.1 1024: -d 0/0 1024:65535 -j
ACCEPT
ipchains -A input -i ppp0 -p tcp ! -y -s 0/0 1024:65535 -d 192.168.10.1
1024:65535 -j ACCEPT

# DNS
ipchains -A output -i ppp0 -p udp -s 192.168.10.1 -d xxx.xxx.xxx.x domain -j
ACCEPT  # xxx.xxx.xxx.x my isp's DNS
ipchains -A input -i ppp0 -p udp -s xxx.xxx.xxx.x -d 192.168.10.1 1024: -j
ACCEPT

ipchains -A input -i ppp0 -p icmp -s 0/0 0 -j ACCEPT
ipchains -A input -i ppp0 -p icmp -s 0/0 3 -j ACCEPT
ipchains -A input -i ppp0 -p icmp -s 0/0 4 -j ACCEPT
ipchains -A input -i ppp0 -p icmp -s 0/0 11 -j ACCEPT
ipchains -A input -i ppp0 -p icmp -s 0/0 12 -j ACCEPT





-------------------------------------------------------------------------
Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/ 
To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`

More information about the OLUG mailing list