Looking for someone to take a look at my ipchains script. I don't want to post it on the list as it is kind of long. A little background is in order. I want to setup an ipchains firewall to do the following: Deny everythind that is not explicitly allowed. I have a server sitting behind it that will host pop3, smtp, www, and ftp so I will need to forward all these ports. I want to allow everyone on the local network to ANYTHING out on the internet. I want to log any denials and protect against IP spoofing (and anything else that might be dangerous). If anyone is willing to help, I will send them my annotated script to take a look at. I do realize that some things are missing (probably the stuff I need help on). I have read all the HOW-TOs that I can find but something isn't clicking. Thanks for any HELP! CK -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
I'm no guru, but I would be willing to help you with some of that. Victor On Tue, 14 Mar 2000, KULISHdotCOM wrote:
Looking for someone to take a look at my ipchains script. I don't want to post it on the list as it is kind of long. A little background is in order.
I want to setup an ipchains firewall to do the following:
Deny everythind that is not explicitly allowed.
I have a server sitting behind it that will host pop3, smtp, www, and ftp so I will need to forward all these ports.
I want to allow everyone on the local network to ANYTHING out on the internet.
I want to log any denials and protect against IP spoofing (and anything else that might be dangerous).
If anyone is willing to help, I will send them my annotated script to take a look at. I do realize that some things are missing (probably the stuff I need help on).
I have read all the HOW-TOs that I can find but something isn't clicking.
Thanks for any HELP! CK
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
When you say "behind", are you talking about a separate firewall box or are these services running on the same box as the firewall? If on the same box I have a set of rules that seem to work well for me. I run a server that does NAT (ip masq) as well as running a web server (among other things). Basically I created two new chains "internal" and "external", then added rules in the input chain to shunt incoming packets down one or the other based on which interface they come in on. Inside those custom chains I did the actual allow/deny/reject/log rules. The "internal" chain's last rule is a "-j RETURN" while the "external" chain's last rule is a "-j DENY". These act like a policy (-P) of ACCEPT or DENY, respectively, would on one of the built-in chains, and I poke holes in that behavior by adding rules earlier in the chains to DENY or RETURN. (Hope that makes sense.) I tried to do the same thing using just the "input" chain but I found that too confusing and overly complicated. Pre-separating the classes of packets made things a lot easier to deal with. -John KULISHdotCOM said:
Looking for someone to take a look at my ipchains script. I don't want to post it on the list as it is kind of long. A little background is in order.
I want to setup an ipchains firewall to do the following:
Deny everythind that is not explicitly allowed.
I have a server sitting behind it that will host pop3, smtp, www, and ftp so I will need to forward all these ports.
I want to allow everyone on the local network to ANYTHING out on the internet.
I want to log any denials and protect against IP spoofing (and anything else that might be dangerous).
If anyone is willing to help, I will send them my annotated script to take a look at. I do realize that some things are missing (probably the stuff I need help on).
I have read all the HOW-TOs that I can find but something isn't clicking.
Thanks for any HELP! CK
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
participants (3)
-
jmgrant@primenet.com
-
noc@kulish.com
-
vcardona@home.com