IPchains

Thu, 22 Mar 2001 14:50:46 -0500

Attached at the end is my ipchain rules

I first run www.bastille-linux.org on my machine to close off miscellaneous
happenings

Then I run my script included below in rc3.d startup just before network
startup.

I have not gotten broken into as of yet !! "knock wood"

I also use mark forwarding to allow certain ports to be forwarded inside so
as not to expose the other servers externally

Everyone please feel free to poke holes in my rules, I welcome any criticism
good or bad.

Thanks !!

Hope this is helpful

-Hu

> -----Original Message-----
> From: root [mailto:wainrig2@pilot.msu.edu]
> Sent: Thursday, March 22, 2001 2:41 PM
> To: linux-user@egr.msu.edu
> Subject: IPchains
> 
> 
> Hello, I have been having quite a bit of hacking problems, and I'm in
> the need of configuring IPchains to protect my system from incoming
> attacks, but it seems like no matter how I set it up, it is either too
> weak (ie only covering telnet, ftp, and www ports) or it is 
> too strong,
> and won't let me access the internet.  I was wondering if 
> anybody would
> be able to tell me what ports I need to keep open for things such as
> DHCP, ICQ etc, without leaving everything out in the open.  Thanks in
> advance for any help you can provide.
> 
> John Wainright
> 
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user
> 

-----------------> start of S09Firewall

/sbin/depmod -a

/sbin/modprobe ip_masq_ftp

/sbin/modprobe ip_masq_raudio

/sbin/modprobe ip_masq_irc

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/ip_always_defrag

ipchains -F input
ipchains -F output
ipchains -F forward

ipchains -P input REJECT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT

ipchains -A input -i lo   -j ACCEPT
ipchains -A input -i eth0 -j ACCEPT

ipchains -A input -i eth1 -s  192.168.0.0/16 -j DENY
ipchains -A input -i eth1 -s  172.16.0.0/12  -j DENY
ipchains -A input -i eth1 -s  10.0.0.0/8     -j DENY

ipchains -A input -i eth1 -p tcp ! -y -j ACCEPT

ipchains -A input -i eth1 -p udp --sport 53 -j ACCEPT
ipchains -A input -i eth1 -p udp --dport 53 -j ACCEPT

ipchains -A input -i eth1 -p tcp -d 152.160.12.169 www -j ACCEPT
ipchains -A input -i eth1 -p tcp -d 152.160.12.169 domain -j ACCEPT
ipchains -A input -i eth1 -p tcp -d 152.160.12.169 ftp -j ACCEPT
ipchains -A input -i eth1 -p tcp -d 152.160.12.169 pop3 -j ACCEPT
ipchains -A input -i eth1 -p tcp -d 152.160.12.169 smtp -j ACCEPT
ipchains -A input -i eth1 -p tcp -d 152.160.12.169 27015 -j ACCEPT

ipchains -I input -p tcp -y -d 152.160.12.169 80  -m 1
ipchains -I input -p tcp -y -d 152.160.12.169 21  -m 2
ipchains -I input -p tcp -y -d 152.160.12.169 110 -m 3
ipchains -I input -p tcp -y -d 152.160.12.169 25  -m 4

ipchains -A input -j DENY -l
ipchains -P forward DENY
ipchains -A forward -s 10.1.1.0/24 -d 0.0.0.0/0 -j MASQ

ipmasqadm mfw -A -m 1 -r 10.1.1.23 80
ipmasqadm mfw -A -m 2 -r 10.1.1.23 21
ipmasqadm mfw -A -m 3 -r 10.1.1.14 110
ipmasqadm mfw -A -m 4 -r 10.1.1.14 25