TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

starting ipchains

Attached is the beginning of my ipchains. It is meant for a single
computer doing no routing or masquerading, but if you are doing routing
and masq, I think you will only need to change
YOURIP=137.22.65.56
to 
YOURIP=137.22.65.56/8  or whatever your network range is

and add rules for the other interface.

I originally had ipchains deny all ports but default instead of 1:1023 but
this killed all access. What ports must I leave open in the input chain
and what outside of 1:1023 can I close? -- I noticed that netstat lists to
a good amount of other ports (7000, etc) are there other ranges I can
kill, or can I kill by default, or is there just one or two ports I must
keep open and I can kill the rest. 

Later I'll have the first rule kill all access and so you won't have bad
rules while this is loading.

Thanks,

Ben



Ben Luey
lueyb@carleton.edu
ICQ: 19144397

Modern computerized word processing enables us, both as individuals and as a
cohesive societal entity, to exponentially enhance and aggrandize the 
parameters, both qualitative and quantitative, not to mention paradigmatic, of 
out communicative conceptualizations because now we can spell great big words
correctly without having a clue what they mean.  -- Dave Barry

#!/bin/sh
IFACE=eth0
YOURNET=137.22.96.160
TRUST=137.22.96.0/255.255.244.0
# Clear all old stuff in ipchains
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
#no packets from intranet ip's or your ip on internet device
/sbin/ipchains -A input -p all -j DENY -s 10.0.0.0/8 -i $IFACE -d 0.0.0.0/0
/sbin/ipchains -A input -p all -j DENY -s 127.0.0.0/8 -i $IFACE -d 0.0.0.0/0
/sbin/ipchains -A input -p all -j DENY -s 192.168.0.0/16 -i $IFACE -d 0.0.0.0/0
/sbin/ipchains -A input -p all -j DENY -s 172.16.0.0/16 -i $IFACE -d 0.0.0.0/0
/sbin/ipchains -A input -p all -j DENY -s $YOURNET -i $IFACE -d 0.0.0.0/0
#no forward
/sbin/ipchains -P forward DENY
#deny all services to everyone
#/sbin/ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $IFACE -d 0.0.0.0/0 1:1023

#allow stuff
/sbin/ipchains -A input -p tcp -j ACCEPT -s 0.0.0.0/0 -i $IFACE -d $YOURNET  25
/sbin/ipchains -A input -p tcp -j ACCEPT -s 0.0.0.0/0 -i $IFACE -d $YOURNET 80
/sbin/ipchains -A input -p tcp -j ACCEPT -s $TRUST -i $IFACE -d $YOURNET 20:23
/sbin/ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $IFACE -d 0.0.0.0/0 1:1023