[plug] INPUT chain

Leon Brooks leonb at bounce.networx.net.au
Sat Aug 28 22:52:53 WST 1999


Subba Rao wrote:
> EXERCISE

> For the modem interface, I setup the following rules,

> $ ipchains -A input -i ppp0 -p 21 -j DENY
> $ ipchains -A input -i ppp0 -p 23 -j DENY
> $ ipchains -A input -i ppp0 -p 80 -j DENY
> 
> My goal in this exercise is to prevent outside telnet, ftp and www access
> to my gateway.

Try -d 0/0 21 (etc) instead of -p (which specifies soem (in this case
very weird) protocol types).

I prefer to do French Foreign Legion Policy:

ipchains -P input DENY
for port in 6000 443 80 53 (etc); do
    ipchains -A input -j ACCEPT -i ppp0 -s 0/0 $port
done

I also block un-needed _outbound_ connects from low ports. If your
intranet uses SMB (windows sharing) remember not to allow either TCP or
UDP from ppp0 on ports 137-139 inclusive as SMB is *DESIGN*INSECURE*
which means that it can't be fixed with mere firewalling, only blocked.
Also block all connects to and from the BackOrifice and NetBus default
ports, services like IRC (think of DCC'ed trojans), ICQ and anything
else that your Windows users might run without thinking. (-: Starting
with windows. :-)

(The FFL manual starts with "You shall do nothing except...")


More information about the plug mailing list