LinuxSA Mailing list archives
Index:
[thread]
[date]
[subject]
[author]
[stats]
From: Alex Garner <alex@netcraft.com.au>
To : Mick Collins <mickwell@bigpond.com>
Date: Wed, 18 Jul 2001 01:09:07 +0930 (CST)
Re: Hey Guys Im Back Ipchains and Firewall Problem
> hehe Im having a bit of trouble with ipchains. I have edited from a nice
> person from the Linuxsa e-mailing list. I cant do traceroutes and ping
> people? Like this
>
> [root@saturn /root]# ping mamma.com
> PING mamma.com (64.15.129.39) from 144.134.7.116 : 56 data bytes
>
> --- mamma.com ping statistics ---
> 6 packets transmitted, 0 packets received, 100% packet loss
> [root@saturn /root]#
>
>
> But I am on the net fine.
Looking at the script below, with a default input policy of REJECT, I
would say that since you haven't explicitly allowed ICMP, your ping
(icmp echo reply) packets are being denied.
> Here is the script.
>
> ## Setup firewall.
> ## First, clear out all rulesets.
> /sbin/ipchains -F
> /sbin/ipchains -X
> ## Add default policies.
> /sbin/ipchains -P input REJECT
> /sbin/ipchains -P forward REJECT
> /sbin/ipchains -P output ACCEPT
> ## Accept packets on any interface other than ppp
> /sbin/ipchains -A input -i ! ppp+ -j ACCEPT
> ## DNS replies.
> /sbin/ipchains -A input -i ppp+ -p udp --sport domain -j ACCEPT
> #Allow reply packets (no SYN set) on PPP interface.
> /sbin/ipchains -A input ! -y -p tcp -i ppp+ -j ACCEPT
> ## Deny NETBIOS packets from ever seeing light of day (anal; no
> forwarding).
> /sbin/ipchains -A input -i eth0 -d 0/0 137:139 -p TCP -j DENY
> /sbin/ipchains -A input -i eth0 -d 0/0 137:139 -p UDP -j DENY
> #Masq Internal Network Out To Internet
> /sbin/ipchains -A input -i ppp+ -p udp --sport 4000 -j ACCEPT
> /sbin/ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0
> #Allow Incomming HTTPD Requests
> /sbin/ipchains -A input -i ppp+ -p tcp --dport 80 -j ACCEPT -l
> #Allow Incomming SSH Requests
> /sbin/ipchains -A input -i ppp+ -p tcp --dport 22 -j ACCEPT -l
> /sbin/ipchains -A input -i ppp+ -p udp --dport 22 -j ACCEPT -l
> #Allow Ident
> /sbin/ipchains -A input -i ppp+ -p udp --dport 113 -j ACCEPT -l
> echo "1" > /proc/sys/net/ipv4/ip_forward
> insmod ip_masq_icq
> insmod ip_masq_quake
> insmod ip_masq_ftp
> insmod ip_masq_irc
Cheers
Alex!
--
Alex Garner <alex@netcraft.com.au>
NetCraft Australia
Phone (08) 8338 0888
http://www.netcraft.com.au
"We have achieved the best possible performance by using
the available power supply & holding the air velocity to
a level which will allow it to heat to the highest
temperature near dry hands could stand on a warm day."
--
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject
Index:
[thread]
[date]
[subject]
[author]
[stats]
Return to the LinuxSA Mailing List Information Page