On Wed, Sep 12, 2001 at 09:03:42PM +0100, mark wrote:
> I am trying to set up a basic firewall (as in very basic at the moment),
> but I seem to be having some problems getting any web pages or doing dns
> lookup's to the internet when i implement the firewall
>
> I am using dialup on interface ppp0 to my isp (modem connection) and the
> network is on eth0 (192.168.1.0/24),consisting of 2 machines
> peer-peer,both have their own modem connection
>
> I am trying to block any packets/requests to any internal interfaces
> (apart from ones i send out) from ppp0.
> Here are my rules so far (taking my isp_addy as 1.2.3.4,for security
> sake):
>
> # Flush out any exsisting rules
> /sbin/ipchains -F
> /sbin/ipchains -X
>
> # Set default filters to deny everthing
> /sbin/ipchains -P input DENY
> /sbin/ipchains -P forward DENY
> /sbin/ipchains -P output DENY
>
> # Allow all internal loacalhost traffic
> /sbin/ipchains -A input -i lo -j ACCEPT
> /sbin/ipchains -A output -i lo -j ACCEPT
>
> # Allow all internal network traffic
> /sbin/ipchains -A input -i eth0 -j ACCEPT
> /sbin/ipchains -A output -i eth0 -j ACCEPT
>
> # --- TCP ---
> /sbin/ipchains -A output -p tcp -j ACCEPT -i ppp0 -s 0.0.0.0/0 -d
> 1.2.3.4
The source address of the local machine on the remote interface is the
IP address assigned by your ISP. Also, you want to let that go
anywhere, so the above line should read
/sbin/ipchains -A output -p tcp -j ACCEPT -i ppp0 -s 1.2.3.4/32 -d
0.0.0.0/0
> /sbin/ipchains -A input -p tcp -j DENY -i ppp0 ! -y -s 1.2.3.4 -d
> 0.0.0.0/0
I'm pretty sure that what you want for the one above is
/sbin/ipchains -A input -p tcp -j DENY -i ppp0 -y -s 0.0.0.0/0 -d
1.2.3.4/32
You don't want to negate the -y switch.
> # --- UDP ---
> /sbin/ipchains -A output -p udp -j ACCEPT -i ppp0 -s 0.0.0.0/0 -d
> 1.2.3.4
Above you should switch your source and destination addresses:
/sbin/ipchains -A output -p udp -j ACCEPT -i ppp0 -s 1.2.3.4/32 -s
0.0.0.0/0
> /sbin/ipchains -A input -p udp -j DENY -i ppp0 ! y -s 1.2.3.4 -d
> 0.0.0.0/0
The -y switch only applies to the TCP protocol, so the above should be
/sbin/ipchains -A input -p udp -j DENY -i ppp0 -s 0.0.0.0/0 -d
1.2.3.4/32
> from what i understand the '-s' is the source and '-d' is the
> destination, so i assume that in the #--- TCP --- example,what i what to
> do is:
Do you have a static IP? If you have a dynamic IP assigned by your
ISP when you connect, you need to replace "1.2.3.4" everywhere above
with something like "$extip" and then do some magic at the beginning
of your firewall script to get your current IP. Here's one way to do
it--taken from my firewall script which is a modified form of the
script in a HOWTO I can't now find...I think it was one of Rusty's
HOWTOs.
extip="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
Note also how a netmask of 32 is used in conjunction with the IP of
your external interface (ppp0). You don't want anything but that
_one_ address accepted.
My script also has some rules to prevent IP spoofing, stuffed routing,
and stuffed masquerading. If you're interested, I'll try to find the
original script I made mine from, because you'll need to change a
couple of other things.
Regards,
Ben Logan
--
When Linux won't install on some hardware configuration, it means you
you need to switch to Windoze; but when a M$ product won't install, it
means you need to buy a new computer.
_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
