[plug] Lock the box - ipchains recipe etc
Leon Brooks
leonb at bounce.networx.net.au
Wed Nov 17 23:30:02 WST 1999
John Summerfield wrote:
> > Brad Campbell wrote:
> > > Is there an easy way, using ipchains maybe, to deny all
> > > incomming connections, probably the easy way to do it,
> > > is block incomming from ppp0 ?
> > You do need some to operate...
> > /sbin/ipchains -P input deny
> > /sbin/ipchains -A input -i eth0 -j ACCEPT
> > /sbin/ipchains -N uplink
> > /sbin/ipchains -A input -i ppp0 -j uplink
> > /sbin/ipchains -A uplink -s 0/0 -d 0/0 auth -j ACCEPT
> > /sbin/ipchains -A uplink -p tcp -s 0/0 -d 0/0 ftp-data -j ACCEPT
> > /sbin/ipchains -A uplink -s 0/0 -d 0/0 ssh -j ACCEPT
> > /sbin/ipchains -A uplink -s 0/0 -d 0/0 6000 -j DENY
> > /sbin/ipchains -A uplink -s 0/0 -d 0/0 5432 -j DENY
> > /sbin/ipchains -A uplink -s 0/0 -d 0/0 3333 -j DENY
> > # and any other high ports you want to protect, netstat will tell
> > /sbin/ipchains -A uplink -s 0/0 -d 0/0 1025:65535 -j ACCEPT
> Given that you have
> ipchains -P input deny
> does this perform any function, useful or otherwise?
> ipchains -A uplink -s 0/0 -d 0/0 6000 -j DENY
Sure does. A connect to your X server via the ppp link would work
because this rule...
/sbin/ipchains -A uplink -s 0/0 -d 0/0 1025:65535 -j ACCEPT
..would explicitly allow it before the rule scanner fell back to the
input chain and thence the deny policy.
In a Real Life(tm) situation, I would have a chain named eth0 with
similar set of rules for the internal clients, plus more (logged) blocks
on both incoming and outbound connects to common remote management
tools' (NetBus, BackOrifice, 7th Sphere) default ports. The internal
clients would be given access to SMB ports and probably also both FTP
ports unless mod_dav was installed and the clients using FP2000 or
similar.
More information about the plug
mailing list