IPchains
Wu, Hu-Hwa
HU@cceng.com
Thu, 22 Mar 2001 14:50:46 -0500
Attached at the end is my ipchain rules
I first run www.bastille-linux.org on my machine to close off miscellaneous
happenings
Then I run my script included below in rc3.d startup just before network
startup.
I have not gotten broken into as of yet !! "knock wood"
I also use mark forwarding to allow certain ports to be forwarded inside so
as not to expose the other servers externally
Everyone please feel free to poke holes in my rules, I welcome any criticism
good or bad.
Thanks !!
Hope this is helpful
-Hu
> -----Original Message-----
> From: root [mailto:wainrig2@pilot.msu.edu]
> Sent: Thursday, March 22, 2001 2:41 PM
> To: linux-user@egr.msu.edu
> Subject: IPchains
>
>
> Hello, I have been having quite a bit of hacking problems, and I'm in
> the need of configuring IPchains to protect my system from incoming
> attacks, but it seems like no matter how I set it up, it is either too
> weak (ie only covering telnet, ftp, and www ports) or it is
> too strong,
> and won't let me access the internet. I was wondering if
> anybody would
> be able to tell me what ports I need to keep open for things such as
> DHCP, ICQ etc, without leaving everything out in the open. Thanks in
> advance for any help you can provide.
>
> John Wainright
>
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user
>
-----------------> start of S09Firewall
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_irc
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
ipchains -F input
ipchains -F output
ipchains -F forward
ipchains -P input REJECT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
ipchains -A input -i lo -j ACCEPT
ipchains -A input -i eth0 -j ACCEPT
ipchains -A input -i eth1 -s 192.168.0.0/16 -j DENY
ipchains -A input -i eth1 -s 172.16.0.0/12 -j DENY
ipchains -A input -i eth1 -s 10.0.0.0/8 -j DENY
ipchains -A input -i eth1 -p tcp ! -y -j ACCEPT
ipchains -A input -i eth1 -p udp --sport 53 -j ACCEPT
ipchains -A input -i eth1 -p udp --dport 53 -j ACCEPT
ipchains -A input -i eth1 -p tcp -d 152.160.12.169 www -j ACCEPT
ipchains -A input -i eth1 -p tcp -d 152.160.12.169 domain -j ACCEPT
ipchains -A input -i eth1 -p tcp -d 152.160.12.169 ftp -j ACCEPT
ipchains -A input -i eth1 -p tcp -d 152.160.12.169 pop3 -j ACCEPT
ipchains -A input -i eth1 -p tcp -d 152.160.12.169 smtp -j ACCEPT
ipchains -A input -i eth1 -p tcp -d 152.160.12.169 27015 -j ACCEPT
ipchains -I input -p tcp -y -d 152.160.12.169 80 -m 1
ipchains -I input -p tcp -y -d 152.160.12.169 21 -m 2
ipchains -I input -p tcp -y -d 152.160.12.169 110 -m 3
ipchains -I input -p tcp -y -d 152.160.12.169 25 -m 4
ipchains -A input -j DENY -l
ipchains -P forward DENY
ipchains -A forward -s 10.1.1.0/24 -d 0.0.0.0/0 -j MASQ
ipmasqadm mfw -A -m 1 -r 10.1.1.23 80
ipmasqadm mfw -A -m 2 -r 10.1.1.23 21
ipmasqadm mfw -A -m 3 -r 10.1.1.14 110
ipmasqadm mfw -A -m 4 -r 10.1.1.14 25