Re: [cobalt-users] adding ipchains rules script to startup: how to?

["William Moore" <bmoore@xxxxxxxxxxxxxxxxx>]

----- Original Message -----
From: "Wayne Sagar" <shortfork@xxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Sunday, October 28, 2001 6:36 AM
Subject: Re: [cobalt-users] adding ipchains rules script to startup: how to?


> >
> >Would love to see it as that is what i am currently working on :)
>
> Bill,
>
> It works, I've seen a lot more complex solutions but from what I can see,
> this one does about all that needs to be done. The fellow who wrote it
makes
> his living at network security.
>
> It really only leaves open what you need, allows connects on port 53 to
only
> specific IP addresses and denys all else.. I've watched it work and it
don't
> let nuttin in that you don't want in.
>
> Wrap it up in a file chmod 700 and have at it..
>
> Wayne
>
> # TCP
> # serve ftp for passive clients _ONLY_
> ipchains -A input -i eth0 -p tcp --destination-port 21  --syn -j ACCEPT -l
> # serve ssh - 22
> ipchains -A input -i eth0 -p tcp --destination-port 22  --syn -j ACCEPT -l
> # serve smtp - 25
> ipchains -A input -i eth0 -p tcp --destination-port 25  --syn -j ACCEPT
> # serve http - 80
> ipchains -A input -i eth0 -p tcp --destination-port 80  --syn -j ACCEPT
> # serve https admin - 81
> ipchains -A input -i eth0 -p tcp --destination-port 81  --syn -j ACCEPT -l
> # serve pop3 - 110
> ipchains -A input -i eth0 -p tcp --destination-port 110 --syn -j ACCEPT
> # disallow SYN on all else
> ipchains -A input -i eth0 -p tcp --syn -j DENY -l
> # allow existing TCP sessions to continue
> ipchains -A input -i eth0 -p tcp -j ACCEPT
>
> # UDP
> # DNS response
> ipchains -A input -i eth0 -p udp --source put.nameserver.address.here
3  -j
> ACCEPT
> ipchains -A input -i eth0 -p udp --source put.nameserver.address2.here
53 -j
> ACCEPT
>
> # ICMP allowed
> ipchains -A input -i eth0 -p icmp -j ACCEPT
>
> # disallow all else
> ipchains -A input -i eth0 -j DENY -l
>

Thanks :)

Can't wait to try it ..

Bill