[plug] firewalling

Ben Jensz jensz at wn.com.au
Thu Jan 3 17:26:45 WST 2002


Those "ipchains" and "iptables" scripts are used to run a script created
by some GUI interface for creating a firewall.

Personally I hate most GUI configuration type tools for Linux.

I'd turn them off and create your own script.  Since you're using a 2.4
kernel, you might as well use iptables as its far superior than ipchains
(IMHO anyway).


/ Ben

-----Original Message-----
From: stephen shah [mailto:shahmann at hotmail.com] 
Sent: Thursday, 3 January 2002 8:28 AM
To: plug at plug.linux.org.au
Subject: Re: [plug] firewalling


thanz 4 the reply raven,

I guess I should have included my rc.masq script as well
but the prob is that side works fine

Its only when I run the rc.firwall script that ipforwarding no longer
works, 
cant ssh into the box etc
flush the the ipchain ruleset and presto, ipforwarding working oks again

anyways, I think I might try iptables c if that solves my problem

ps r u a q3 player, I am sure I have seen your nic b4 , just cant
remember 
where, maybe at a uwalan frag fest ;)




>From: raven <ian.kent at pobox.com>
>Reply-To: plug at plug.linux.org.au
>To: plug at plug.linux.org.au
>Subject: Re: [plug] firewalling
>Date: 02 Jan 2002 22:01:39 +0800
>
>On Wed, 2002-01-02 at 18:18, stephen shah wrote:
> > hello thier,
> >
> > does anyone know why the example of ipchains firewalling published 
> > in
>the
> > advanced linux pocket book does not appear to work.
> >
> > both services r available in ntsysv ie ipchains and iptables I have 
> > disabled iptables. I havent try iptables yet but is this problem I 
> > should b using iptables ?
> >
> > I upgraded my my linux to kernel ver 7.1, 2-4-2-2 ( yes I know this 
> > is
>an
> > old kernel now :) )
> > ipmasq'ring works ok after I flush the ipchain ruleset
> > but when I run the rc.firewall script is doesnt not allow 
> > ipmasq'ring
> >
> > anyone know why or have had this problem ?
> >
> > thanx
> >
> > this is the published firewall script (modified ip #'s only) 
> > #!/bin/sh IP=$1
>
>So you have a fixed IP on you internet port - yes?
>
> > /sbin/ipchains -F input
> > /sbin/ipchains -A input -s 192.168.1.0/24 -j ACCEPT
>
>Accept anything that comes from this (private IP) subnet on any 
>interface (including external IP). I like that.
>
> > /sbin/ipchains -A input -p TCP ! -y -d $IP 1024:65535 -j ACCEPT
>
>Accept reply packets from outgoing connections (aka do not allow 
>incoming connection establishment).
>
> > /sbin/ipchains -A input -p TCP -y -s 0.0.0.0/0 20 -d $IP 1024:65535 
> > -j ACCEPT
>
>Accept incoming ftp-data connection establishment packets.
>
> > /sbin/ipchains -A input -p UDP -s 0.0.0.0/0 53 -d $IP 1024:65535 -j
>ACCEPT
>
>Accept incoming DNS queries on any interface for any IP. You are 
>authorative for a DNS domain - no?
>
> > /sbin/ipchains -A input -p ICMP -j ACCEPT
>
>Accept all ICMP. In many ways a good idea.
>
> > /sbin/ipchains -A input -i ! lo -l -j DENY
>
>Chuck everything else.
>
>No masquerade there.
>
> >
> >
> >
> > _________________________________________________________________
> > MSN Photos is the easiest way to share and print your photos: 
> > http://photos.msn.com/support/worldwide.aspx
>
>


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com



More information about the plug mailing list