TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TCLUG:13767] IPCHAINS again...
On Sun, 20 Feb 2000, Ryan Hankins wrote:
>
> > Anyone know what I'm doing wrong now?...
>
> TCP connections send packets in two ways, of course, regardless of the
> direction from which they are initiated. What you are doing in this
> case is to block packets coming into your machine. What you really want
> to do is to block packets that are in streams where the SYN packets did
> not originate from your machine, meaning that another computer initiates
> the stream, not your computer. You can do this using the -y option to
> ipchains.
>
> Consider using a rule like this:
>
> ipchains -A input -p tcp -s 0/0 -d 0/0 -j DENY -y -l
>
> Such a rule allows only tcp connections that are started by your
> machine, and not ones that are initiated from the outside. Do not think
> that you can write one ipchains rule that will in itself create a
> firewall; such a rule will be either quite insecure, or it will (as in
> the case you mentioned) be so secure that it will be overly limiting.
>
> I recommend you take a look at the ipchains howto:
>
> http://howto.tucows.com/LDP/HOWTO/IPCHAINS-HOWTO-4.html
>
> Especially look at section 4.1: Specifying TCP SYN Packets Only
>
> -R
>
Erm, yeah, I suppose I should have read the original post.. the line I
gave you will block _all_ incoming, so you have to allow any incoming
traffic you would like, including responses to anything you send out, with
the -j ACCEPT flag... read the HOWTO, it should tell you what you need to
know.
--
Nate Carlson <carlson@real-time.com> | Phone : (612)943-8700
http://www.real-time.com | Fax : (612)943-8500