Re: [cobalt-users] adding ipchains rules script to startup: how to?

["Wayne Sagar" <shortfork@xxxxxxxxxxx>]

> Would love to see it as that is what i am currently working on :)

Bill,

It works, I've seen a lot more complex solutions but from what I can see, 
this one does about all that needs to be done. The fellow who wrote it makes 
his living at network security.

It really only leaves open what you need, allows connects on port 53 to only 
specific IP addresses and denys all else.. I've watched it work and it don't 
let nuttin in that you don't want in.

Wrap it up in a file chmod 700 and have at it..

Wayne

# TCP
# serve ftp for passive clients _ONLY_
ipchains -A input -i eth0 -p tcp --destination-port 21  --syn -j ACCEPT -l
# serve ssh - 22
ipchains -A input -i eth0 -p tcp --destination-port 22  --syn -j ACCEPT -l
# serve smtp - 25
ipchains -A input -i eth0 -p tcp --destination-port 25  --syn -j ACCEPT
# serve http - 80
ipchains -A input -i eth0 -p tcp --destination-port 80  --syn -j ACCEPT
# serve https admin - 81
ipchains -A input -i eth0 -p tcp --destination-port 81  --syn -j ACCEPT -l
# serve pop3 - 110
ipchains -A input -i eth0 -p tcp --destination-port 110 --syn -j ACCEPT
# disallow SYN on all else
ipchains -A input -i eth0 -p tcp --syn -j DENY -l
# allow existing TCP sessions to continue
ipchains -A input -i eth0 -p tcp -j ACCEPT

# UDP
# DNS response
ipchains -A input -i eth0 -p udp --source put.nameserver.address.here 53  -j 
ACCEPT
ipchains -A input -i eth0 -p udp --source put.nameserver.address2.here 53 -j 
ACCEPT

# ICMP allowed
ipchains -A input -i eth0 -p icmp -j ACCEPT

# disallow all else
ipchains -A input -i eth0 -j DENY -l

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp