[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] [OT] Re: ipchains firewall blocking own c-class
- Subject: [cobalt-users] [OT] Re: ipchains firewall blocking own c-class
- From: Bruce Timberlake <bruce@xxxxxxxxxx>
- Date: Tue Feb 11 09:57:01 2003
- Organization: BRTNet.org
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> What rule is there to accept the own C-class.
> is it like a one line command? Willing to give me a hint? :D
$IPCHAINS -A input -i eth0 -s 192.168.10.0/24 -j ACCEPT
where $IPCHAINS is defined at the top of the file like this:
IPCHAINS=/sbin/ipchains
Here's the top of my firewall ruleset:
### START OF FILE ###
# IP Fragmentation Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# IP Bogus Error Response Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
IPCHAINS=/sbin/ipchains
# First we'll flush the chains
$IPCHAINS -F input
# Allow 'everything' outbound
$IPCHAINS -A output -i eth0 -s 0/0 -d 0/0 -j ACCEPT
# Allow everything in and out on localhost
$IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT
# Deny spoofed networks
# (no reason for traffic on these networks to be appearing
# on the public interface - unless the RaQ is _only_ on one
# of these private networks and not exposed directly to the
# internet...)
#
$IPCHAINS -A input -i eth0 -s 10.0.0.0/8 -d 0/0 -j DENY
$IPCHAINS -A input -i eth0 -s 172.16.0.0/12 -d 0/0 -j DENY
$IPCHAINS -A input -i eth0 -s 192.168.0.0/16 -d 0/0 -j DENY
$IPCHAINS -A input -i eth0 -s 127.0.0.0/8 -d 0/0 -j DENY
# Always accept traffic from ourselves
# (and don't bother logging it, so no "-l" switch)
# 'localhost'
$IPCHAINS -A input -i eth0 -s 127.0.0.1 -j ACCEPT
# my home dsl line
$IPCHAINS -A input -i eth0 -s ip.ad.re.ss -j ACCEPT
# the raq's assigned IP addresses
$IPCHAINS -A input -i eth0 -s ip.ad.re.ss -j ACCEPT
$IPCHAINS -A input -i eth0 -s ip.ad.re.s2 -j ACCEPT
$IPCHAINS -A input -i eth0 -s ip.ad.re.s3 -j ACCEPT
# Then start adding the IPs to block
# -A <chain> add this rule to chain <chain>
# -i <ethx> enforce rule on interface <ethx>
# -s ip.ad.re.ss source IP address
# -p [tcp|udp] type of packets
#
# ! x anything but port x
# or
# x:y from port x to port Y
#
# -l log any action
# -j <action> jump to action
# MSSQL worm
$IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 1433:1434 -p udp -l -j DENY
$IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 1433:1434 -p tcp -l -j DENY
# NetBIOS
$IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 137:139 -p tcp -j DENY
$IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 137:139 -p udp -j DENY
# First bad guy I don't like (ban all but www traffic)
$IPCHAINS -A input -i eth0 -s ba.dg.uy.ip ! www -p tcp -l -j DENY
# Next bad guy - ban his entire Class C
$IPCHAINS -A input -i eth0 -s ba.dg.uy.0/24 -p tcp -l -j DENY
and so on. Remember it works from the top down, so the first rule the
packet matches is where it "exits"... so specifically allow anything
you _do_ want at the top, then start blocking stuff you don't want
after that.
- --
Bruce Timberlake
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+STlXvLA2hUZ9kgwRAn1YAJ0eXMFZ92X/WIRDWKssWi54nKW+7wCfS4o+
XHVuwvsPMIq6fMRooRcsKOo=
=Y64p
-----END PGP SIGNATURE-----