-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
DISCLAIMER: Comments stated herein may have no basis.
a) read the IPCHAINS-HOWTO
b) get bastille or some other automated script
c) follow the KISS principle
d) figure out what you want to allow, and what you want to deny
a simple script some people use to improve upon is this.. in no means
complete and could be a lot tighter, but should suffice to start off on
- --- cut here ----
#!/bin/sh
# stop IP spoofing
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# default DENY ALL policy
/sbin/ipchains -P input DENY
/sbin/ipchains -P forward DENY
/sbin/ipchains -P output DENY
# Flush and remove any existing chains
/sbin/ipchains -F
/sbin/ipchains -X
# Insert blocks to protect while the chains are implemented
/sbin/ipchains -I input -i ! lo -j DENY
/sbin/ipchains -I forward -i ! lo -j DENY
/sbin/ipchains -I output -i ! lo -j DENY
# Accept local packets
/sbin/ipchains -A input -i lo -j ACCEPT
# Redirect transparent proxy for squid (optional)
/sbin/ipchains -A input -p tcp -i eth0 -s 10.0.0.0/24 -d ! 10.0.0.0/24 80
- -j REDIRECT 3128
# Accept traffic from eth0
/sbin/ipchains -A input -i eth0 -s 10.0.0.0/24 -d 0/0 -j ACCEPT
# ICMP rules
/sbin/ipchains -A input -i ppp+ -p icmp -s ! 10.0.0.0/24
destination-unreachable -j ACCEPT
/sbin/ipchains -A input -i ppp+ -p icmp -s ! 10.0.0.0/24 source-quench -j
ACCEPT
/sbin/ipchains -A input -i ppp+ -p icmp -s ! 10.0.0.0/24 time-exceeded -j
ACCEPT
/sbin/ipchains -A input -i ppp+ -p icmp -s ! 10.0.0.0/24 parameter-problem
- -j ACCEPT
# DNS rules (allow both tcp AND udp)
/sbin/ipchains -A input -i ppp+ -p udp -s ! 10.0.0.0/24 53 -j ACCEPT
/sbin/ipchains -A input -i ppp+ -p tcp -s ! 10.0.0.0/24 53 -j ACCEPT
# Allows traffic for inititated connections
/sbin/ipchains -A input -i ppp+ -p tcp ! -y -s ! 10.0.0.0/24 -j ACCEPT
# NAT
/sbin/ipchains -A forward -s 10.0.0.0/24 -d ! 10.0.0.0/24 -j MASQ
# Allow all out
/sbin/ipchains -P output ACCEPT
# remove the blocks put in earlier
/sbin/ipchains -D input 1
/sbin/ipchains -D forward 1
/sbin/ipchains -D output 1
# modules for masq
/sbin/modprobe ip_masq_autofw
/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_mfw
/sbin/modprobe ip_masq_portfw
/sbin/modprobe ip_masq_quake
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_user
/sbin/modprobe ip_masq_vdolive
- --- cut here again ---
> Good Day Everyone!!
>
> I would like to ask about firewall, anyone can give me a good suggestions how could
>I implement firewall on my linux machine? I dunno what should i
> protect and how do i configure? I have an idea about ipchains. anyone can help me ??
>
> Best Regards
> Glynn S. Condez
> Systems Administrator
>
> ****************************************
> TEXTRON CORPORATION
> Home page: http://www.itextron.com
> email: [EMAIL PROTECTED]
>
> 3rd Floor Textron Building
> 168 Luna Mencias Street
> 1500 San Juan, Metro Manila
>
> Tel : ++ 63 2 726-7701 to 02
> ++ 63 2 718-2222
> Fax: ++ 63 2 724-8121
>
> ****************************************
>
> - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe
>firewalls" in the body of the message.]
>
- --
[mirza sahib] [[EMAIL PROTECTED]] [+923008508070] [islamabad, pk]
gnupg fingerprint 34FC 4DF8 A244 40AD BC5B F210 C4AC C400 57C7 A36E
jack of most trades, master of some... remember, if you please, hurry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE65pkOxKzEAFfHo24RAlpyAJ4yOmcHh3+fzkFePk0HQ3kruL3EJACcClEK
Kkum0mYdi9S1FE5ywU85pew=
=Dvyx
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
