LinuxSA Mailing list archives
Index:
[thread]
[date]
[subject]
[author]
[stats]
From: Adam Hawes <adam_hawes@dingoblue.net.au>
To : <linuxsa@linuxsa.org.au>
Date: Tue, 02 Jan 2001 23:31:58 +1030
Re: Firewall Development
> Just assuming there were nasty people on the list, wouldn't they just say
> (offlist) " i am a nice guy and security expert, I will look at your
> set up for you "?
>
> In this case, they get a look at your rules anyway.
Okay :-)
I'll rephrase the question as there was only one thing that I was really
interested in finding an answer for anyway.
What rules are required to allow DNS queries:
1. into a box (on eth0 interface, address 192.168.1.1)
2. out of that box (on ppp0 interface, address dynamic)
I essentially want to make sure that internal computers on
192.168.1.0/24 can query the DNS server on 192.168.1.1, and that the DNS
server on 192.168.1.1 can query external nameservers.
The rest of my rules are pretty much wrapped up; default policy to DENY
and only allow acces to my proxy server, and a few other ports for ICQ
and things to masquerade through. I have no doubts about the ICQ or
proxy ports because I use that already. What I want to do is change the
default policies from ACCEPT to DENY. This will block DNS queries too
so I need to ensure that they are getting through.
Cheers,
Adam
#!/bin/sh
EXTIP=$4
INTIP=192.168.1.1
EXTNET=ppp0
INTNET=eth0
#
# Flush ALL rules
#
/sbin/ipchains -F
/sbin/ipchains -X
/usr/sbin/ipmasqadm portfw -f
#
# Explicitly deny everything
#
/sbin/ipchains -P input DENY
/sbin/ipchains -P output DENY
/sbin/ipchians -P forward DENY
#
# Allow DNS connections
#
/sbin/ipchains -A output -s 192.168.1.0/24 53 -j ACCEPT
/sbin/ipchains -A input -s 192.168.1.0/24 53 -j ACCEPT
/sbin/ipchains -A forward -s 192.168.1.0/24 53 -J ACCEPT
#
# Allow loopback interface traffic
#
/sbin/ipchains -A input -i lo -j ACCEPT
/sbin/ipchains -A output -i lo -j ACCEPT
--
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject
Index:
[thread]
[date]
[subject]
[author]
[stats]
Return to the LinuxSA Mailing List Information Page