[ale] ipchains help?
Nomad the Wanderer
nomad at orci.com
Sat Feb 6 23:56:12 EST 1999
Ok,
Here is my ipchains configuration. It looks nice and pretty, but
it's not doing anything. I can tell it to deny everything on ppp-in
and I can still ssh in and even telnet to port 113. Anyone have any ideas?
I don't get any errors when I execute this script.
---------------------------------------------------------------------
#!/bin/sh
echo Starting ipchains config
# Flush any existing rules
/usr/local/bin/ipchains -F
/usr/local/bin/ipchains -N ppp-out
/usr/local/bin/ipchains -A output -i ppp0 -j ppp-out
# Minimum delay for web traffic & telnet.
/usr/local/bin/ipchains -A ppp-out -p UDP -d any/0 27900 -t 0x01 0x10
/usr/local/bin/ipchains -A ppp-out -p UDP -d any/0 27910 -t 0x01 0x10
/usr/local/bin/ipchains -A ppp-out -p UDP -d any/0 27912 -t 0x01 0x10
/usr/local/bin/ipchains -A ppp-out -p TCP -d 0.0.0.0 80 -t 0x01 0x10
/usr/local/bin/ipchains -A ppp-out -p TCP -d 0.0.0.0 telnet -t 0x01 0x10
# Low cosr for ftp data, nntp, pop-3:
/usr/local/bin/ipchains -A ppp-out -p TCP -d 0.0.0.0/0 ftp-data -t 0x01 0x02
/usr/local/bin/ipchains -A ppp-out -p TCP -d 0.0.0.0/0 nntp -t 0x01 0x02
/usr/local/bin/ipchains -A ppp-out -p TCP -d 0.0.0.0/0 pop-3 -t 0x01 0x02
# There are a few restrictions on packets coming in the ppp0 interface: let's create a chain called `ppp-in':
/usr/local/bin/ipchains -N ppp-in
/usr/local/bin/ipchains -A input -i ppp0 -j ppp-in
# Now, no packets coming in ppp0 should be claiming a source address of 207.174.68.80-95, so we log and deny them:
/usr/local/bin/ipchains -A ppp-in -s 0.0.0.0 -l -j DENY
# Allow dudley's network in and log it (-l)
/usr/local/bin/ipchains -A ppp-in -s 206.168.154.0/24 -l -j ACCEPT
/usr/local/bin/ipchains -A ppp-in -s 206.168.154.1 -j ACCEPT
# Allow rocky's in
/usr/local/bin/ipchains -A ppp-in -s 204.144.173.1 -j ACCEPT
# Allow gwl's network in
/usr/local/bin/ipchains -A ppp-in -s 143.199.125.10 -l -j ACCEPT
/usr/local/bin/ipchains -A ppp-in -s 199.5.174.2 -d 207.174.68.94 21 -p tcp -l -j ACCEPT
# Allow ssh in.
/usr/local/bin/ipchains -A ppp-in -s 0.0.0.0 -d 207.174.68.94 22 -p tcp -l -j ACCEPT
/usr/local/bin/ipchains -A ppp-in -s 0.0.0.0 -d 207.174.68.94 1022 -p tcp -l -j ACCEPT
/usr/local/bin/ipchains -A ppp-in -s 0.0.0.0 -d 207.174.68.81 22 -p tcp -l -j ACCEPT
/usr/local/bin/ipchains -A ppp-in -s 0.0.0.0 -d 207.174.68.81 1022 -p tcp -l -j ACCEPT
# Allow ftp's in.
/usr/local/bin/ipchains -A ppp-in -s 0.0.0.0 21 -p tcp -l -j ACCEPT
/usr/local/bin/ipchains -A ppp-in -s 0.0.0.0 20 -p tcp -l -j ACCEPT
# Allow local to local packets
/usr/local/bin/ipchains -A input -i lo -j ACCEPT
---------------------------------------------------------------------------
Robert L. Harris | Windows is to Unix
Senior System Administrator II | what 'hooked on phonics'
at Great West Life. \_ is to Shakespeare
http://www.orci.com/~nomad
DISCLAIMER:
These are MY OPINIONS ALONE. I speak for no-one else.
FYI:
perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
More information about the Ale
mailing list