[plug] firewalling

[raven]

On Wed, 2002-01-02 at 18:18, stephen shah wrote:
> hello thier,
> 
> does anyone know why the example of ipchains firewalling published in the 
> advanced linux pocket book does not appear to work.
> 
> both services r available in ntsysv ie ipchains and iptables
> I have disabled iptables. I havent try iptables yet but is this problem
> I should b using iptables ?
> 
> I upgraded my my linux to kernel ver 7.1, 2-4-2-2 ( yes I know this is an 
> old kernel now :) )
> ipmasq'ring works ok after I flush the ipchain ruleset
> but when I run the rc.firewall script is doesnt not allow ipmasq'ring
> 
> anyone know why or have had this problem ?
> 
> thanx
> 
> this is the published firewall script (modified ip #'s only)
> #!/bin/sh
> IP=$1

So you have a fixed IP on you internet port - yes?

> /sbin/ipchains -F input
> /sbin/ipchains -A input -s 192.168.1.0/24 -j ACCEPT

Accept anything that comes from this (private IP) subnet on any
interface (including external IP).
I like that.

> /sbin/ipchains -A input -p TCP ! -y -d $IP 1024:65535 -j ACCEPT

Accept reply packets from outgoing connections (aka do not allow
incoming connection establishment).

> /sbin/ipchains -A input -p TCP -y -s 0.0.0.0/0 20 -d $IP 1024:65535 -j 
> ACCEPT

Accept incoming ftp-data connection establishment packets.

> /sbin/ipchains -A input -p UDP -s 0.0.0.0/0 53 -d $IP 1024:65535 -j ACCEPT

Accept incoming DNS queries on any interface for any IP. You are
authorative for a DNS domain - no?

> /sbin/ipchains -A input -p ICMP -j ACCEPT

Accept all ICMP. In many ways a good idea.

> /sbin/ipchains -A input -i ! lo -l -j DENY

Chuck everything else.

No masquerade there.

> 
> 
> 
> _________________________________________________________________
> MSN Photos is the easiest way to share and print your photos: 
> http://photos.msn.com/support/worldwide.aspx