Re: [TCLUG:5678] ipchains script

To: tclug-list@listserv.real-time.com
Subject: Re: [TCLUG:5678] ipchains script
From: Ben Luey <lueyb@carleton.edu>
Date: Fri, 30 Apr 1999 01:27:10 -0500 (CDT)
In-Reply-To: <Pine.LNX.v.Donut_4.05.9904300250300.7738-100000@itsmy.jellyd.org>

I think your problem is related to order. ipchains depends on order. If
your first line is deny everything and next one is to accept port 21 --
port 21 will be blocked because the first line (deny) applies to it and
that's it. Therefore what you want to do is put in all your accept lines
first, then a blanket deny script. The reason my script doesn't block 5555
is because the blanket deny line is only for ports from 1-1023. Copy that
line and add 5555 (or whatever range) and it should work. Be careful what
you deny though, I found that some ports over 1023 are needed for client
opperations. 

Hope this helps,

Ben

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Sometime around the 29th of April in 1999, a certain Ben Luey said:
> 
> : Here is my ipchains script. It allows smtp and web from anywhere. telnet
> : and ftp from trusted hosts, ssh from anywhere, but #ed out.
> :
> : To connect to an ssh server via ssh (version 1) you need port 1023 open.
> 
> Okay, I just can't get these damned ipchains to work. I can
> setup all my rules, it all looks fine, a visual path-following
> seems correct, and using the packet-checking option (-C) says
> it's working fine ..
> 
> .. but if i've got the default input policy set to DENY, none of
> my packets get through (even for rules specified to accept),
> and if I've got it set to ACCEPT, any packet can get through,
> even if it's specified as DENY.
> 
> I'm pissed.
> 
> I'm not going to post my rc.ipchains script until I've got it
> working (it's fugly, and about 9k), or unless someone requests
> it.
> 
> I even tried using your script, Ben (just modified the hosts),
> and it doesn't block a 'telnet <my ip> 5555', for example, even
> though 5555 has no rule (thus defaulting to the last DENY
> rule).
> 
> - --
> [----------------------------------------------------------------------]
> | Joshua Becker                    - aka -                      JellyD |
> | email: jellyd@jellyd.org                          IRC: EFnet, DALnet |
> [----------------------------------------------------------------------]
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GNUPG v0.4.3 (GNU/Linux)
> Comment: For info finger gcrypt@ftp.guug.de
> 
> iD8DBQE3KVPScmkpI69BOLwRAkyJAKCxwrKJw8MpHLaiGbPYPtQA7LTyWACeI83I
> VZDQUxGIIqZ9cMHuPU6eSjE=
> =Msl3
> -----END PGP SIGNATURE-----
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@listserv.real-time.com
> For additional commands, e-mail: tclug-list-help@listserv.real-time.com
> Try our website: http://tclug.real-time.com
> 

Ben Luey
lueyb@carleton.edu
ICQ: 19144397

This is a Bart Simpson Congress: underachievers and proud of it.  
   --   Richard Gephardt

Follow-Ups:
- Re: [TCLUG:5678] ipchains script
  - From: JellyD <jellyd@jellyd.org>

References:
- Re: [TCLUG:5678] ipchains script
  - From: JellyD <jellyd@jellyd.org>

Prev by Date: Re: [TCLUG:5699] Emacs question (syntax recognition)
Next by Date: updated rh60 procmail dead
Prev by thread: Re: [TCLUG:5678] ipchains script
Next by thread: Re: [TCLUG:5678] ipchains script
Index(es):
- Date
- Thread