Looking for someone to take a look at my ipchains script. I don't want to post it on the list as it is kind of long. A little background is in order. I want to setup an ipchains firewall to do the following: Deny everythind that is not explicitly allowed. I have a server sitting behind it that will host pop3, smtp, www, and ftp so I will need to forward all these ports. I want to allow everyone on the local network to ANYTHING out on the internet. I want to log any denials and protect against IP spoofing (and anything else that might be dangerous). If anyone is willing to help, I will send them my annotated script to take a look at. I do realize that some things are missing (probably the stuff I need help on). I have read all the HOW-TOs that I can find but something isn't clicking. Thanks for any HELP! CK
You can find this exact script at freshmeat.net ..do a search for ipchains-firewall The ipchains-firewall also has a mailing list.. You can probably find out info on it at nerdherd.net The address is firewall@lists.nerdherd.net and im guessing you can subscribe via majordomo@lists.nerdherd.net .. the name of the list is "firewall" At 07:39 PM 3/14/2000 -0600, KULISHdotCOM wrote:
Looking for someone to take a look at my ipchains script. I don't want to post it on the list as it is kind of long. A little background is in order.
I want to setup an ipchains firewall to do the following:
Deny everythind that is not explicitly allowed.
I have a server sitting behind it that will host pop3, smtp, www, and ftp so I will need to forward all these ports.
I want to allow everyone on the local network to ANYTHING out on the internet.
I want to log any denials and protect against IP spoofing (and anything else that might be dangerous).
If anyone is willing to help, I will send them my annotated script to take a look at. I do realize that some things are missing (probably the stuff I need help on).
I have read all the HOW-TOs that I can find but something isn't clicking.
Thanks for any HELP! CK
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Sorry, read too fast.. I dont think ipchains can do port forwarding at this time, but "redir" kinda works (I got it to work for www, but not smtp) redir is also available on freshmeat.net The mailing list may be able to provide more info about port forwarding Chrissy At 02:51 PM 3/15/2000 -0800, Chrissy LeMaire wrote:
You can find this exact script at freshmeat.net ..do a search for ipchains-firewall The ipchains-firewall also has a mailing list.. You can probably find out info on it at nerdherd.net The address is firewall@lists.nerdherd.net and im guessing you can subscribe via majordomo@lists.nerdherd.net .. the name of the list is "firewall"
At 07:39 PM 3/14/2000 -0600, KULISHdotCOM wrote:
Looking for someone to take a look at my ipchains script. I don't want to post it on the list as it is kind of long. A little background is in order.
I want to setup an ipchains firewall to do the following:
Deny everythind that is not explicitly allowed.
I have a server sitting behind it that will host pop3, smtp, www, and ftp so I will need to forward all these ports.
I want to allow everyone on the local network to ANYTHING out on the internet.
I want to log any denials and protect against IP spoofing (and anything else that might be dangerous).
If anyone is willing to help, I will send them my annotated script to take a look at. I do realize that some things are missing (probably the stuff I need help on).
I have read all the HOW-TOs that I can find but something isn't clicking.
Thanks for any HELP! CK
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Wed, 15 Mar 2000, Chrissy LeMaire wrote:
Sorry, read too fast.. I dont think ipchains can do port forwarding at this time, but "redir" kinda works (I got it to work for www, but not smtp) redir is also available on freshmeat.net The mailing list may be able to provide more info about port forwarding
Chrissy
I think you mean forwarding ports to other machines (as opposed to just redirecting them on a particular interface/machine). Plenty of programs do-- redir is one, squid has the ability to do some incredibly complex tasks, and other utilities can be used like an ssh port forward (or even netcat for that matter). As for ipchains, i think it can do port forwarding itself-- this is from /sbin/ipchains --help: --destination -d [!] address[/mask] [!] [port[:port]] destination specification This seems to imply that it can be handled by ipchains. dan
"Daniel L. Donahue" wrote:
On Wed, 15 Mar 2000, Chrissy LeMaire wrote:
Sorry, read too fast.. I dont think ipchains can do port forwarding at this time, but "redir" kinda works (I got it to work for www, but not smtp) redir is also available on freshmeat.net The mailing list may be able to provide more info about port forwarding
I think you mean forwarding ports to other machines (as opposed to just redirecting them on a particular interface/machine). Plenty of programs do-- redir is one, squid has the ability to do some incredibly complex tasks, and other utilities can be used like an ssh port forward (or even netcat for that matter).
Also rinetd for tcp and uredir for udp.
As for ipchains, i think it can do port forwarding itself-- this is from /sbin/ipchains --help:
--destination -d [!] address[/mask] [!] [port[:port]] destination specification
This seems to imply that it can be handled by ipchains.
Not exactly, the [port[:port]] denotes a range of ports, e.g. 1:65535. Regards, Fred Mobach
participants (4)
-
Chrissy LeMaire -
Daniel L. Donahue -
Fred Mobach -
KULISHdotCOM