Hi,
Well in your line -A input -i eth0 -s 0/0 -d 0/0 -p tcp -y -j DENY -l you specifically block ONLY tcp connection attempts. so udp/icmp etc are still allowed. You can use -A input -p icmp -j DENY -l but that still allows for UDP. You cannot block all UDP if you want DNS to work, so at this point you have to know what ports to allow through. i.e. 53 So that you allow DNS through first -A input -p udp -s DNS 53 -d MACHINE UNPRIVILEGED_PORTS -j ACCEPT Where: DNS is your DNS Server MACHINE is your local ip_address (harder to get if Dynamic IP, so you can use 0/0 it isn't much of a hole) UNPRIVILEGED_PORTS are ports from 1024:65535 then have a line. -A input -p udp -j DENY -l This starts to become very easy to get in the wrong order, which is why most people? recommend setting up a firewall the other way round. i.e. you should have input DENY forward DENY output DENY And then specically allow through (in and out) the services that you want. You can still have nice input blocking lines like yours at the top; they just narrow down the available space for allowed connections. It is more complex to set up and maintain this way, but you learn about IP, and it is slightly more secure. Note: Currently your setup allows you to send anything out to the internet, and that can be as big a problem as allowing things in. However someone would have to be much more determined to get on to your box with your current rules than on to 90% of boxes out there. So it is a good start. Good luck. /Dave On Friday 20 September 2002 02:05, Nikolai wrote: > I have setup the following rules for my ipchains: > :input ACCEPT > :forward DENY > :output ACCEPT > > -A input -j DENY -p all -l -s 127.0.0.0/8 -i eth0 -d 0.0.0.0/0 > -A input -i eth0 -s 0/0 -d 0/0 -p tcp -y -j DENY -l > > I did an online-based scan at scan.sygate.com and everything appears to > be 'blocked' except ICMP service on port 8. > > Can someone please help me with how to close this hole as well? > > Some background: > my kernel is 2.4.18 (with Mandrake 8.2) > I'm new to Linux/GNU in general and security in particular. > > Thanks > Nikolai
