HL Client + LinuX Firewall Setup

Roman Shakin

3 Aug 2002 3 Aug '02

23:22

Hello All, I just set up a linux masq box and firewall using simple ipchains and masq functions of the kernel. I read the faq on the masq and ipchains, but I dont get how to get my windows Half Life Client to go through the firewall so my brother can play his stupid CS game. Here I have attached my firewall setup and config file. If someone has this working it would be apreciated if he or she sent me the config for such a setup. --Roman ---------------------------------- Roman Shakin rshakin@unixfreak.org (email) +1 (949) 653-2188 (phone) +1 (949) 651-7563 (pager) -----BEGIN GEEK CODE BLOCK----- Version: 3.2 GCS/CC/O d-- s++:->:+ a-- C++(++++) ULB++ P+ L++ E--- W+(-) N+ o+ K- w-- O- M+ V- PS++>$ PE++>$ Y++ PGP++ t- 5+++ X++ R tv++ b+++>++++ DI+ D++ G++ e- h+ r++ z+ ------END GEEK CODE BLOCK------

Attachments:

rc.firewall (text/plain — 23.2 KB)

Show replies by date

Ewan Leith

3 Aug 3 Aug

23:44

New subject: [SLE] HL Client + LinuX Firewall Setup

halflife and the other various quake based games use udp and ports over 1024 (over 10000 mostly), to allow them through the firewall you'll need to do something like ipchains -A input -i $ETERNAL_INTERFACE -p udp -y \ --destination-port $UNPRIVPORTS \ --source-port $UNPRIVPORTS -j ACCEPT ipchains -A output -i $ETERNAL_INTERFACE -p udp \ --destination-port $UNPRIVPORTS \ --source-port $UNPRIVPORTS -j ACCEPT i dont think these are exact, but they should be pretty close. obviously this will have an effect on your security, but it shouldn't be too bad as long as you aren't running any services using udp over port 1024 or greater. Ewan On Sun, 2002-08-04 at 00:22, Roman Shakin wrote:

...

Hello All,

I just set up a linux masq box and firewall using simple ipchains and masq functions of the kernel. I read the faq on the masq and ipchains, but I dont get how to get my windows Half Life Client to go through the firewall so my brother can play his stupid CS game. Here I have attached my firewall setup and config file. If someone has this working it would be apreciated if he or she sent me the config for such a setup.

--Roman

---------------------------------- Roman Shakin rshakin@unixfreak.org (email) +1 (949) 653-2188 (phone) +1 (949) 651-7563 (pager)

-----BEGIN GEEK CODE BLOCK----- Version: 3.2 GCS/CC/O d-- s++:->:+ a-- C++(++++) ULB++ P+ L++ E--- W+(-) N+ o+ K- w-- O- M+ V- PS++>$ PE++>$ Y++ PGP++ t- 5+++ X++ R tv++ b+++>++++ DI+ D++ G++ e- h+ r++ z+

------END GEEK CODE BLOCK------ ----

...

#!/bin/sh

# Script generated Thu Aug 1 16:44:25 2002

# ---------------------------------------------------------------------------- # Copyright (C) 1997, 1998, 1999, 2000 Robert L. Ziegler # # Permission to use, copy, modify, and distribute this software and its # documentation for educational, research, private and non-profit purposes, # without fee, and without a written agreement is hereby granted. # This software is provided as an example and basis for individual firewall # development. This software is provided without warranty. # # Any material furnished by Robert L. Ziegler is furnished on an # "as is" basis. He makes no warranties of any kind, either expressed # or implied as to any matter including, but not limited to, warranty # of fitness for a particular purpose, exclusivity or results obtained # from use of the material. # ----------------------------------------------------------------------------

# /etc/rc.d/rc.firewall # Invoked from /etc/rc.d/rc.local.

echo "Starting firewalling... "

# ---------------------------------------------------------------------------- # Some definitions for easy maintenance. # EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

EXTERNAL_INTERFACE="eth0" # Internet connected interface LOOPBACK_INTERFACE="lo" # or your local naming convention LOCAL_INTERFACE_1="eth1" # internal LAN interface

IPADDR="66.51.214.167" # your IP address LOCALNET_1="192.168.0.0/24" # whatever private range you use

ANYWHERE="any/0" # match any IP address

NAMESERVER_1="66.51.205.100" # everyone must have at least one NAMESERVER_2="66.51.206.100"

SMTP_SERVER="66.51.205.17" # Your ISP mail gateway. Your relay. POP_SERVER="66.51.205.14" # Your ISP pop mail server. NEWS_SERVER="216.168.3.50" # Your ISP news server

LOOPBACK="127.0.0.0/8" # reserved loopback address range CLASS_A="10.0.0.0/8" # class A private networks CLASS_B="172.16.0.0/12" # class B private networks CLASS_C="192.168.0.0/16" # class C private networks CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses BROADCAST_SRC="0.0.0.0" # broadcast source address BROADCAST_DEST="255.255.255.255" # broadcast destination address PRIVPORTS="0:1023" # well known, privileged port range UNPRIVPORTS="1024:65535" # unprivileged port range

# ----------------------------------------------------------------------------

NFS_PORT="2049" # (TCP/UDP) NFS SOCKS_PORT="1080" # (TCP) Socks

# X Windows port allocation begins at 6000 and increments to 6063 # for each additional server running. XWINDOW_PORTS="6000:6063" # (TCP) X windows

# The SSH client starts at 1023 and works down to 513 for each # additional simultaneous connection originating from a privileged port. # Clients can optionally be configured to use only unprivileged ports. SSH_LOCAL_PORTS="1022:65535" # port range for local clients SSH_REMOTE_PORTS="513:65535" # port range for remote clients

# traceroute usually uses -S 32769:65535 -D 33434:33523 TRACEROUTE_SRC_PORTS="32769:65535" TRACEROUTE_DEST_PORTS="33434:33523"

# ---------------------------------------------------------------------------- # Default policy is DENY # Explicitly accept desired INCOMING & OUTGOING connections

# Remove all existing rules belonging to this filter ipchains -F

# Set the default policy of the filter to deny. ipchains -P input DENY ipchains -P output REJECT ipchains -P forward DENY

# set masquerade timeout to 10 hours for tcp connections ipchains -M -S 36000 0 0

# ----------------------------------------------------------------------------

# Enable IP Forwarding, if it isn't already echo 1 > /proc/sys/net/ipv4/ip_forward

# Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Enable always defragging Protection echo 1 > /proc/sys/net/ipv4/ip_always_defrag

# Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Enable bad error message Protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Enable IP spoofing protection # turn on Source Address Verification for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done

# Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done

for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done

# Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done

# Log Spoofed Packets, Source Routed Packets, Redirect Packets for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done

# These modules are necessary to masquerade their respective services. /sbin/modprobe ip_masq_ftp /sbin/modprobe ip_masq_raudio ports=554,7070,7071,6970,6971 /sbin/modprobe ip_masq_irc # ---------------------------------------------------------------------------- # LOOPBACK

# Unlimited traffic on the loopback interface.

ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

# ---------------------------------------------------------------------------- # Unlimited traffic within the local network.

# All internal machines have access to the fireall machine.

ipchains -A input -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT

# ---------------------------------------------------------------------------- # Masquerade internal traffic.

# All internal traffic is masqueraded externally. ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ

# ---------------------------------------------------------------------------- # Network Ghouls

# Deny access to jerks # -------------------- # /etc/rc.d/rc.firewall.blocked contains a list of # ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY # rules to block from any access.

# Refuse any connection from problem sites if [ -f /etc/rc.d/rc.firewall.blocked ]; then . /etc/rc.d/rc.firewall.blocked fi

# ---------------------------------------------------------------------------- # SPOOFING & BAD ADDRESSES # Refuse spoofed packets. # Ignore blatantly illegal source addresses. # Protect yourself from sending to bad addresses.

# Refuse incoming packets pretending to be from the external address. ipchains -A input -s $IPADDR -j DENY -l

# Refuse incoming packets claiming to be from a Class A, B or C private network ipchains -A input -s $CLASS_A -j DENY ipchains -A input -s $CLASS_B -j DENY ipchains -A input -s $CLASS_C -j DENY

# Refuse broadcast address SOURCE packets ipchains -A input -s $BROADCAST_DEST -j DENY -l ipchains -A input -d $BROADCAST_SRC -j DENY -l

# Refuse Class D multicast addresses # Multicast is illegal as a source address. # Multicast uses UDP. ipchains -A input -s $CLASS_D_MULTICAST -j DENY

# Refuse Class E reserved IP addresses ipchains -A input -s $CLASS_E_RESERVED_NET -j DENY -l

# Refuse special addresses defined as reserved by the IANA. # Note: The remaining reserved addresses are not included. # Filtering them causes problems as reserved blocks are # being allocated more often now.

# Note: this list includes the loopback, multicast, & reserved addresses.

# 0.*.*.* - Can't be blocked for DHCP users. # 127.*.*.* - LoopBack # 169.254.*.* - Link Local Networks # 192.0.2.* - TEST-NET # 224-255.*.*.* - Classes D & E, plus unallocated.

ipchains -A input -s 0.0.0.0/8 -j DENY -l ipchains -A input -s 127.0.0.0/8 -j DENY -l ipchains -A input -s 169.254.0.0/16 -j DENY -l ipchains -A input -s 192.0.2.0/24 -j DENY -l ipchains -A input -s 224.0.0.0/3 -j DENY -l

# ---------------------------------------------------------------------------- # NOTE: # The symbolic names used in /etc/services for the port numbers vary by # supplier. Using them is less error prone and more meaningful, though.

# ---------------------------------------------------------------------------- # TCP UNPRIVILEGED PORTS # Avoid ports subject to protocol & system administration problems.

# NFS: establishing a TCP connection ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \ --destination-port $NFS_PORT -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \ --destination-port $NFS_PORT -j REJECT

# Xwindows: establishing a connection ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \ --destination-port $XWINDOW_PORTS -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \ --destination-port $XWINDOW_PORTS -j REJECT

# SOCKS: establishing a connection ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \ --destination-port $SOCKS_PORT -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \ --destination-port $SOCKS_PORT -j REJECT

# ---------------------------------------------------------------------------- # UDP UNPRIVILEGED PORTS # Avoid ports subject to protocol & system administration problems.

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ --destination-port $NFS_PORT -j DENY -l

# UDP INCOMING TRACEROUTE # traceroute usually uses -S 32769:65535 -D 33434:33523

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ --source-port $TRACEROUTE_SRC_PORTS \ --destination-port $TRACEROUTE_DEST_PORTS -j DENY -l

# DNS client (53) # --------------- ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_1 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $NAMESERVER_1 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_1 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $NAMESERVER_1 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_2 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $NAMESERVER_2 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_2 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $NAMESERVER_2 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# HTTP client (80) # ---------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 80 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ --source-port 80 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# HTTPS client (443) # ------------------ ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 443 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ --source-port 443 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# NNTP NEWS client (119) # ---------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $NEWS_SERVER 119 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $NEWS_SERVER 119 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# POP client (110) # ---------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $POP_SERVER 110 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $POP_SERVER 110 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# SMTP client (25) # ---------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $SMTP_SERVER 25 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $SMTP_SERVER 25 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# SSH server (22) # --------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ --source-port $SSH_REMOTE_PORTS \ -d $IPADDR 22 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $IPADDR 22 \ --destination-port $SSH_REMOTE_PORTS -j ACCEPT

# SSH client (22) # --------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $SSH_LOCAL_PORTS \ --destination-port 22 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ --source-port 22 \ -d $IPADDR $SSH_LOCAL_PORTS -j ACCEPT

# ------------------------------------------------------------------

# TELNET client (23) # ------------------ ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 23 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ --source-port 23 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# AUTH server (113) # -----------------

# Accept incoming connections to identd but disable in.identd in inetd.conf. ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ --source-port $UNPRIVPORTS \ -d $IPADDR 113 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $IPADDR 113 \ --destination-port $UNPRIVPORTS -j ACCEPT

# AUTH client (113) # ----------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 113 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ --source-port 113 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# WHOIS client (43) # ----------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 43 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ --source-port 43 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# FINGER client (79) # ------------------ ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 79 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ --source-port 79 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# FTP server (21) # ---------------

# incoming request ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ --source-port $UNPRIVPORTS \ -d $IPADDR 21 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $IPADDR 21 \ --destination-port $UNPRIVPORTS -j ACCEPT

# PORT MODE data channel responses ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR 20 \ --destination-port $UNPRIVPORTS -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ --source-port $UNPRIVPORTS \ -d $IPADDR 20 -j ACCEPT

# FTP client (21) # ---------------

# outgoing request ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 21 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ --source-port 21 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

# PORT mode data channel ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ --source-port 20 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $IPADDR $UNPRIVPORTS \ --destination-port 20 -j ACCEPT

# ------------------------------------------------------------------

# IRC client (6667) # ----------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 6667 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ --source-port 6667 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port $UNPRIVPORTS -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ --source-port $UNPRIVPORTS \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# RealAudio / QuickTime client # ---------------------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ --source-port 554 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 554 -j ACCEPT

# TCP is a more secure method: 7070:7071

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ --source-port 7070:7071 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 7070:7071 -j ACCEPT

# UDP is the preferred method: 6970:6999 # For LAN machines, UDP requires the RealAudio masquerading module and # the ipmasqadm third-party software.

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ --source-port $UNPRIVPORTS \ -d $IPADDR 6970:6999 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR 6970:6999 \ --destination-port $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# ICQ client (4000) # ----------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 2000:4000 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ --source-port 2000:4000 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 4000 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ --source-port 4000 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

# ---------------------------------------------------------------------------- # UDP accept only on selected ports # ---------------------------------

# ------------------------------------------------------------------

# NTP TIME clients (123) # ---------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d time.mit.edu 123 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s time.mit.edu 123 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# OUTGOING TRACEROUTE # ------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $TRACEROUTE_SRC_PORTS \ --destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT -l

# ---------------------------------------------------------------------------- # ICMP

# To prevent denial of service attacks based on ICMP bombs, filter # incoming Redirect (5) and outgoing Destination Unreachable (3). # Note, however, disabling Destination Unreachable (3) is not # advisable, as it is used to negotiate packet fragment size.

# For bi-directional ping. # Message Types: Echo_Reply (0), Echo_Request (8) # To prevent attacks, limit the src addresses to your ISP range. # # For outgoing traceroute. # Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11) # default UDP base: 33434 to base+nhops-1 # # For incoming traceroute. # Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11) # To block this, deny OUTGOING 3 and 11

# 0: echo-reply (pong) # 3: destination-unreachable, port-unreachable, fragmentation-needed, etc. # 4: source-quench # 5: redirect # 8: echo-request (ping) # 11: time-exceeded # 12: parameter-problem

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type echo-reply \ -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type destination-unreachable \ -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type source-quench \ -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type time-exceeded \ -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type parameter-problem \ -d $IPADDR -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR fragmentation-needed -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR source-quench -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR echo-request -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR parameter-problem -j ACCEPT

# ---------------------------------------------------------------------------- # Enable logging for selected denied packets

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ --destination-port $PRIVPORTS -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ --destination-port $UNPRIVPORTS -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type 5 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type 13:255 -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -j REJECT -l

# ----------------------------------------------------------------------------

echo "done"

exit 0

----

...

-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com

8171

Age (days ago)

8171

Last active (days ago)

List overview

Download

1 comments

2 participants

participants (2)

Ewan Leith
Roman Shakin