[plug] firewalling

stephen shah shahmann at hotmail.com
Thu Jan 3 08:27:57 WST 2002


thanz 4 the reply raven,

I guess I should have included my rc.masq script as well
but the prob is that side works fine

Its only when I run the rc.firwall script that ipforwarding no longer works, 
cant ssh into the box etc
flush the the ipchain ruleset and presto, ipforwarding working oks again

anyways, I think I might try iptables c if that solves my problem

ps r u a q3 player, I am sure I have seen your nic b4 , just cant remember 
where, maybe at a uwalan frag fest ;)




>From: raven <ian.kent at pobox.com>
>Reply-To: plug at plug.linux.org.au
>To: plug at plug.linux.org.au
>Subject: Re: [plug] firewalling
>Date: 02 Jan 2002 22:01:39 +0800
>
>On Wed, 2002-01-02 at 18:18, stephen shah wrote:
> > hello thier,
> >
> > does anyone know why the example of ipchains firewalling published in 
>the
> > advanced linux pocket book does not appear to work.
> >
> > both services r available in ntsysv ie ipchains and iptables
> > I have disabled iptables. I havent try iptables yet but is this problem
> > I should b using iptables ?
> >
> > I upgraded my my linux to kernel ver 7.1, 2-4-2-2 ( yes I know this is 
>an
> > old kernel now :) )
> > ipmasq'ring works ok after I flush the ipchain ruleset
> > but when I run the rc.firewall script is doesnt not allow ipmasq'ring
> >
> > anyone know why or have had this problem ?
> >
> > thanx
> >
> > this is the published firewall script (modified ip #'s only)
> > #!/bin/sh
> > IP=$1
>
>So you have a fixed IP on you internet port - yes?
>
> > /sbin/ipchains -F input
> > /sbin/ipchains -A input -s 192.168.1.0/24 -j ACCEPT
>
>Accept anything that comes from this (private IP) subnet on any
>interface (including external IP).
>I like that.
>
> > /sbin/ipchains -A input -p TCP ! -y -d $IP 1024:65535 -j ACCEPT
>
>Accept reply packets from outgoing connections (aka do not allow
>incoming connection establishment).
>
> > /sbin/ipchains -A input -p TCP -y -s 0.0.0.0/0 20 -d $IP 1024:65535 -j
> > ACCEPT
>
>Accept incoming ftp-data connection establishment packets.
>
> > /sbin/ipchains -A input -p UDP -s 0.0.0.0/0 53 -d $IP 1024:65535 -j 
>ACCEPT
>
>Accept incoming DNS queries on any interface for any IP. You are
>authorative for a DNS domain - no?
>
> > /sbin/ipchains -A input -p ICMP -j ACCEPT
>
>Accept all ICMP. In many ways a good idea.
>
> > /sbin/ipchains -A input -i ! lo -l -j DENY
>
>Chuck everything else.
>
>No masquerade there.
>
> >
> >
> >
> > _________________________________________________________________
> > MSN Photos is the easiest way to share and print your photos:
> > http://photos.msn.com/support/worldwide.aspx
>
>


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com



More information about the plug mailing list