On Tue, 18 Jan 2000 09:13:02 -0800, you wrote:
>Once again, I want *all* attempts to connect from the outside to be blocked.
Here's what I use and I'd recommend it. It looks complicated, but is
fairly simple. The advantage is that the local users (coming in on
card eth0) get accepted immediately. Obviously you'll want to change
the variables at the top of the script but it should work after that's
done.
#----cut-here----------------cut-here----------------cut-here---------------
# ===========
# Variables
============================================================
# General Variables
world="0.0.0.0/0"
highport="1024:65535"
lowport="1:1023"
# Network Variables
intnet="192.168.1.0/24"
localip="w.x.y.z/32"
# Services Variables
dhcp="w.x.y.0/24"
# =======================
# Flush standard chains
================================================
ipchains -F input
ipchains -F output
ipchains -F forward
# ====================
# Set chain policies
==================================================
ipchains -P input REJECT
ipchains -P output ACCEPT
ipchains -P forward REJECT
# ===============
# Output Chain
=======================================================
# log all output
#ipchains -A output -p TCP -l
# Minimize Delay for Web Browsing & Telnet
ipchains -A output -p TCP -d $world www -t 0x01 0x10
ipchains -A output -p TCP -d $world telnet -t 0x01 0x10
ipchains -A output -p TCP -d $world ftp -t 0x01 0x10
# Maximize Throughput for ftp data
ipchains -A output -p TCP -d $world ftp-data -t 0x01 0x08
# ==============
# Input Chains
========================================================
# Incoming data from local network is accepted by default
ipchains -A input -i eth0 -j ACCEPT
ipchains -A input -i eth0 -j ACCEPT
# Also accept local loopback info by default
ipchains -A input -i lo -j ACCEPT
# No fake local IPs from Internet! Log and Reject.
ipchains -A input -s 192.168.0.0/16 -l -j REJECT
ipchains -A input -s 10.0.0.0/8 -l -j REJECT
ipchains -A input -s 172.16.0.0/16 -l -j REJECT
ipchains -A input -s 127.0.0.0/8 -l -j REJECT
# === Open Services ===
# Accept incoming DNS entries from DNS Servers
#ipchains -A input -p TCP -s $world 53 -d $localip 53 -j ACCEPT
#ipchains -A input -p UDP -s $world 53 -d $localip 53 -j ACCEPT
# Accept incoming DHCP/BOOTP requests
ipchains -A input -p TCP -s $dhcp 67 -d $localip 68 -j ACCEPT
ipchains -A input -p ICMP -s $dhcp 67 -d $localip 68 -j ACCEPT
# Allow ident access but log.
# NOTE: I am running fakeidentd -- don't run identd.
ipchains -A input -p TCP -d $localip auth -l -j ACCEPT
# === Core rules ===
# Accept pings but log
ipchains -A input -p ICMP -l -j ACCEPT
# Log and reject SYN packets to high ports
ipchains -A input -y -p TCP -d $localip $highport -l -j REJECT
# Accept UDP to high ports
ipchains -A input -p UDP -d $localip $highport -j ACCEPT
# Accept TCP to high ports
ipchains -A input -p TCP -d $localip $highport -j ACCEPT
# Log and reject any other packets
ipchains -A input -d $world -l -j REJECT
# ================
# Forward Chains
=========================================================
# If headed into internal network, don't allow SYN packets to low
ports.
ipchains -A forward -p TCP -d $intnet $lowport -l -j REJECT
# Masquerade anything else
ipchains -A forward -s $intnet -j MASQ
# Drop anything not covered.
ipchains -A forward -d $world -l -j REJECT
# =====================
# Masquerade Settings
====================================================
ipchains -M -S 7200 10 60
#----cut-here----------------cut-here----------------cut-here---------------
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
