Michael Schwendt wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 11 Mar 2003 22:45:17 +0800, [EMAIL PROTECTED] wrote: > > > Hello to you, > > > > After the following "iptables-rules" on Linux Redhat 7.2 Server : > > > > /etc/rc.d/rc.local : > > iptables -F > > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP > > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP > > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j > > DROP > > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP > > iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP > > iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP > > iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > > > > iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT > > iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT > > iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT > > iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP > > > > Then, the Internet users they can only to use the port numbers ( > > services ) : 80 ( Web ) and 53 ( DNS )... > > > > On Linux Redhat 6.x Server, we can only to use "ipchains-rules" > > function : > > You cannot compare iptables and ipchains easily, because in above > rules you used features which are not available with ipchains. > > > ipchains -F > > ipchains -A input -i eth0 -p tcp --dport 80 -j ACCEPT > > ipchains -A input -i eth0 -p tcp --dport 53 -j ACCEPT > > ipchains -A input -i eth0 -p udp --dport 53 -j ACCEPT > > > > But, how can we only allow users to use port numbers ( services ) : 80 ( > > Web ) and 53 ( DNS )... ? > > Be sure to look into setting the "default policies" or add rules at > the end of a chain that drop all other traffic (DENY or REJECT). > > Observe that a connection has two end-points and that at each > end-point, data are both received _and_ sent. In your example of a > web server, your machine receives incoming traffic at _destination_ > port 80, but sends outgoing traffic from _source_ port 80. So, what > you want is to disallow everything and allow only traffic _to_ and > _from_ your ports 80 and 53. > > Add: > > ipchains --policy input DENY > ipchains --policy output DENY > ## Allow outgoing traffic from your HTTP/DNS server. > ipchains -A output -i eth0 -p tcp --sport 80 -j ACCEPT > ipchains -A output -i eth0 -p tcp --sport 53 -j ACCEPT > ipchains -A output -i eth0 -p udp --sport 53 -j ACCEPT > ## Debugging rules. > ipchains -A input -s 0/0 -d 0/0 -l -j REJECT > ipchains -A output -s 0/0 -d 0/0 -l -j REJECT > > Note however, that your set of rules is incomplete, and you would > want to allow access to the loopback device, for instance.
Okay...Now I want to allow users they can use the following port number ( services ) only : /sbin/ipchains -A input -i eth0 -p tcp --dport 20 -j ACCEPT /sbin/ipchains -A input -i eth0 -p tcp --dport 21 -j ACCEPT /sbin/ipchains -A input -i eth0 -p tcp --dport 22 -j ACCEPT /sbin/ipchains -A input -i eth0 -p tcp --dport 23 -j ACCEPT /sbin/ipchains -A input -i eth0 -p tcp --dport 25 -j ACCEPT /sbin/ipchains -A input -i eth0 -p tcp --dport 80 -j ACCEPT /sbin/ipchains -A input -i eth0 -p tcp --dport 53 -j ACCEPT /sbin/ipchains -A input -i eth0 -p udp --dport 53 -j ACCEPT /sbin/ipchains -A input -i eth0 -p tcp --dport 110 -j ACCEPT /sbin/ipchains -A input -i eth0 -p tcp --dport 143 -j ACCEPT /sbin/ipchains -A input -i eth0 -p tcp --dport 113 -j ACCEPT /sbin/ipchains -A input -i eth0 -p udp --dport 113 -j ACCEPT /sbin/ipchains -A input -i eth0 -p tcp --dport 3000 -j ACCEPT /sbin/ipchains -A input -i eth0 -p tcp --dport 8000 -j ACCEPT So, how can I add the rules ( you post to me in this mail ) ? Before a long time, I get the following info from the Internet : --- Begin of cut ---> Run a basic firewall Redhat comes with a firewall utility called ipchains which can filter and redirect packets for you. Add these rules to /etc/rc.d/rc.local to provide you with basic security and logging. /sbin/ipchains -F /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 53 -j DENY -l /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 69 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 87 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 111 -j DENY -l /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 111 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 2049 -j DENY -l /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 2049 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 512 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 513 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 514 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 515 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 540 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 2000 -j DENY -l /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 2000 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 6000 -j DENY -l These rules block connections to certain services which cert says are bad and dangerous. If you are on a dialup, replace eth0 with ppp0. --- End of cut --> So, are these setting ( rule ) is suitable for ipchains' users ? Thank for your help ! Edward. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
