Re: [cobalt-users] Weird IPChains on a RAQ3

["WEBB cite" <webbcite@xxxxxxxxxxx>]

> Please post your IPChain rules.
>
> Regards,
> -sm

Here is the script.  IP's have been changed to protect the almost-innocent.  
Again it seems to lock all my ports to the outside world except for my IP's 
that I added for my machines which are marked with xxx.xxx.xxx.xxx.

Help!

:)

#!/bin/sh
#
# VERSION 1.01
#
# ********** UK2.NET RAQ3 FIREWALL SOFTWARE **********
#
# IPCHAINS SCRIPT FOR UK2.NET RAQ3 SERVERS
# WRITTEN 2001 BY CYBO (C) COPYRIGHT 2001
# STRICTLY FOR UK2.NET CUSTOMERS ONLY
# THIS COULD BE YOUR LIFELINE - USE AT OWN RISK
#
# Step 1: Login as root
# Step 2: Install ipchains
#         cd /usr/local
#         wget amail.co.uk/ipchains-1.3.10.tar.gz
#         tar zxvf ipchains-1.3.10.tar.gz
#         cd ipchains-1.3.10
#         make clean
#         make
#         make install
#
# Step 3: Start up another ssh or telnet session as backup
#         Start this script
#
#         DO NOT START AFTER REBOOT AUTOMATICALLY
#
#         Use firewall-on to start firewall
#         Use firewall-off to stop firewall
#

IPC=/sbin/ipchains
OUTERIF=eth0
OUTERIP=`/sbin/ifconfig $OUTERIF | grep inet | cut -d : -f 2 | cut -d \  -f 
1`
OUTERMASK=`/sbin/ifconfig $OUTERIF | grep Mas | cut -d : -f 4`
OUTERNET=$OUTERIP/$OUTERMASK

$IPC -F input
$IPC -F output
$IPC -F forward
$IPC -P forward DENY

$IPC -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPC -A output -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPC -A input ! -y -p tcp -s 0/0 -d $OUTERNET -j ACCEPT

if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
 for f in /proc/sys/net/ipv4/conf/*/rp_filter
 do
  echo 1 > $f
 done
fi

if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
 echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi

# My Machines allowed full access
#
# Home Machine
#
$IPC -A input -s xxx.xxx.xxx.xxx/32 -d 0/0 -j ACCEPT
#
# 2nd Server
#
$IPC -A input -s xxx.xxx.xxx.xxx/32 -d 0/0 -j ACCEPT
#
# NTP Time Server
#
$IPC -A input -s 140.142.16.34/255.255.255.0 -d 0/0 -j ACCEPT
#
# FTP access
#
$IPC -A input -p tcp -s 0/0 -d $OUTERNET 20 -j ACCEPT
$IPC -A input -p tcp -s 0/0 -d $OUTERNET 21 -j ACCEPT
#
# Telnet Access, replace x.x.x.x with static IP number
# We do not allow Telnet Access
#$IPC -A input -p tcp -s x.x.x.x/32 -d $OUTERNET 23 -j ACCEPT
#
# SSH - Secure shell access
#
$IPC -A input -p tcp -s 0/0 -d $OUTERNET 22 -j ACCEPT
#
# SMTP - sendmail mail server
#
$IPC -A input -p tcp -s 0/0 -d $OUTERNET 25 -j ACCEPT
#
# Bind DNS server
#
$IPC -A input -p tcp -s 0/0 -d $OUTERNET 53 -j ACCEPT
$IPC -A input -p udp -s 0/0 -d $OUTERNET 53 -j ACCEPT
#
# WebServer
#
$IPC -A input -p tcp -s 0/0 -d $OUTERNET 80 -j ACCEPT
#
# WebServer Admin tool
#
$IPC -A input -p tcp -s 0/0 -d $OUTERNET 81 -j ACCEPT
#
# POP3 server
#
$IPC -A input -p tcp -s 0/0 -d $OUTERNET 110 -j ACCEPT
#
# IMAP2 server
# We do not allow IMAP
#$IPC -A input -p tcp -s 0/0 -d $OUTERNET 143 -j ACCEPT
#
# SSL server
#
$IPC -A input -p tcp -s 0/0 -d $OUTERNET 443 -j ACCEPT
#
# WebServer Secure Port
#
$IPC -A input -p tcp -s 0/0 -d $OUTERNET 444 -j ACCEPT
#
# MySQL - allow outside access - remove 0/0 with x.x.x.x/32
# No need to allow for external connections
#$IPC -A input -p tcp -s 0/0 -d $OUTERNET 3306 -j ACCEPT
#
# NFS - not installed by default
#
#$IPC -A input -p tcp -s x.x.x.x/32 -d 0/0 2049 -i $OUTERIF -j ACCEPT
#$IPC -A input -p udp -s x.x.x.x/32 -d 0/0 2049 -i $OUTERIF -j ACCEPT
#
# Enable icmp traffic (ping)
#
$IPC -A input -p icmp -s 0/0 -d $OUTERNET -j ACCEPT
$IPC -A output -p icmp -s $OUTERNET -d 0/0 -j ACCEPT
#
# Allow packages from own connections
#
$IPC -A input -p tcp -s 0/0 -d $OUTERNET 1023:65535 -j ACCEPT
$IPC -A input -p udp -s 0/0 -d $OUTERNET 1023:65535 -j ACCEPT
#
# Allow any outgoing connections
#
$IPC -A output -j ACCEPT
#
# Just say no...
#
$IPC -A input -j REJECT -l
#
# Show settings
#
$IPC -L -n
#
# - BETTER BE PARANOID TODAY THAN TOMORROW.....
#



_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx