* Anders Johansson
Well, you're essentially right. Except that Ext and Int should be replaced by the corresponding subnets (i.e. int = <your internal subnet> and ext = ! <your internal subnet>) and the last rule is achieved by your policies
Yeap
which should read
ipchains -P input DENY
and
ipchains -P output DENY
-I is for inserting rules into a chain. It can't be used in policy statements
Also, things here are case sensitive, so Deny should be DENY
ooops that is a typo mistake
Also, in should be input, and out should be output
thx for reminding ( just wanted to make sure the example's syntax is followed for ease of understanding on my side)
The fourth rule also looks suspect. Why would you allow SYN packets to a high port if you only want SMTP? That should probably be ! -y
Now this is the part I am lost frankly speaking . On page 221 of the book it says consider the ACK bit also as a criterion. So based on your explanation where I only put -y actually should be ! -y Rule Direction Source Dest Proto Destport ACK Action ====================================================================== A in Ext Int tcp 25 ANY Permit B out Int Ext tcp >1023 yes Permit C out Int Ext tcp 25 Any Permit D in Ext Int tcp >1023 yes Permit E Either any any any any any Deny Thanks for the input
Now based on the explanations I came out with this ipchains rule but I am not sure if it it correct or not
IPC=/sbin/ipchains $IPC -P Deny -l $IPC -A in -s Ext -d Int -p tcp --sport 1023: --dport 25 -j ACCEPT $IPC -A out -s Int -d Ext -p tcp --sport 25 --dport 1023: -y -j ACCEPT $IPC -A out -s Int -d Ext -p tcp --sport 1023: --dport 25 -j ACCEPT $IPC -A in -s Ext -d Int -p tcp --sport 25 --dport 1023: -y -j ACCEPT $IPC -b -s 0/0 -d 0/0 -j DENY
Am I on the right track or completely away ?
TIA
-- Togan Muftuoglu