linux firewall

Sean picasso@madflower.com
Wed, 28 Mar 2001 15:18:39 -0500 (EST) 

If your using the the 2.2.16 kernel which came with RH7, you will need to
look at the ipchains-how-to
http://www.linux.org/docs/ldp/howto/IPCHAINS-HOWTO.html

Hu-Hwa Wu posted this earlier to our list.

I first run www.bastille-linux.org on my machine to close off
miscellaneous
happenings

Then I run my script included below in rc3.d startup just before network
startup.

I have not gotten broken into as of yet !! "knock wood"

I also use mark forwarding to allow certain ports to be forwarded inside
so
as not to expose the other servers externally

Everyone please feel free to poke holes in my rules, I welcome any
criticism
good or bad.
---Hu's Ipchains---
sbin/depmod -a

/sbin/modprobe ip_masq_ftp

/sbin/modprobe ip_masq_raudio

/sbin/modprobe ip_masq_irc

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/ip_always_defrag

ipchains -F input
ipchains -F output
ipchains -F forward

ipchains -P input REJECT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT

ipchains -A input -i lo   -j ACCEPT
ipchains -A input -i eth0 -j ACCEPT

ipchains -A input -i eth1 -s  192.168.0.0/16 -j DENY
ipchains -A input -i eth1 -s  172.16.0.0/12  -j DENY
ipchains -A input -i eth1 -s  10.0.0.0/8     -j DENY

ipchains -A input -i eth1 -p tcp ! -y -j ACCEPT

ipchains -A input -i eth1 -p udp --sport 53 -j ACCEPT
ipchains -A input -i eth1 -p udp --dport 53 -j ACCEPT

ipchains -A input -i eth1 -p tcp -d 152.160.12.169 www -j ACCEPT
ipchains -A input -i eth1 -p tcp -d 152.160.12.169 domain -j ACCEPT
ipchains -A input -i eth1 -p tcp -d 152.160.12.169 ftp -j ACCEPT
ipchains -A input -i eth1 -p tcp -d 152.160.12.169 pop3 -j ACCEPT
ipchains -A input -i eth1 -p tcp -d 152.160.12.169 smtp -j ACCEPT
ipchains -A input -i eth1 -p tcp -d 152.160.12.169 27015 -j ACCEPT

ipchains -I input -p tcp -y -d 152.160.12.169 80  -m 1
ipchains -I input -p tcp -y -d 152.160.12.169 21  -m 2
ipchains -I input -p tcp -y -d 152.160.12.169 110 -m 3
ipchains -I input -p tcp -y -d 152.160.12.169 25  -m 4


ipchains -I input -p tcp -y -d 152.160.12.169 80  -m 1
ipchains -I input -p tcp -y -d 152.160.12.169 21  -m 2
ipchains -I input -p tcp -y -d 152.160.12.169 110 -m 3
ipchains -I input -p tcp -y -d 152.160.12.169 25  -m 4

ipchains -A input -j DENY -l
ipchains -P forward DENY
ipchains -A forward -s 10.1.1.0/24 -d 0.0.0.0/0 -j MASQ

ipmasqadm mfw -A -m 1 -r 10.1.1.23 80
ipmasqadm mfw -A -m 2 -r 10.1.1.23 21
ipmasqadm mfw -A -m 3 -r 10.1.1.14 110
ipmasqadm mfw -A -m 4 -r 10.1.1.14 25


On Mon, 2 Apr 2001, Scott Overfield wrote:

> Good Afternoon,
> OK, I have both NIC's installed and configured, one with a private ip
> address on the network side and one with a real ip address on the internet,
> now what additional steps do I need to complete to create a working NAT
> firewall with redhat 7?
> (connectivity is thru 256k frame relay)
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user
>