Re: IP Chain Sample Files?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 7 Aug 2000, Nikko Odiseos wrote:

> I have been looking for samples of ipchains scripts for various
> configurations.  I have seen the simple ones in Kirsch and Dawson's Linux
> Admin's Guide, but was hoping to find some with more complicated
> configurations.  Thanks

This is a setup I use for a filtering bridge system. The IP's have been
changed to protect the innocent. I'm not sure if this is complex enough
for you, but it's certianly the most complex setup I've done so far.

---> begin file
/sbin/ifconfig eth0 up 0.0.0.0 promisc
/sbin/ifconfig eth1 up 0.0.0.0 promisc
/sbin/brctl addbr br0
/sbin/brctl addif br0 eth0
/sbin/brctl addif br0 eth1
/sbin/ifconfig br0 up


# Filter rules. For a complete list of common ports, see /etc/services
# Define the br0 chain
/sbin/ipchains -N br0
# Accept Notes (port 1352) connections to everyone
/sbin/ipchains -A br0 -s 0.0.0.0/0 -d 192.1.1.0/24 1352  -p tcp -y -j ACCEPT
# Accept SMTP (port 25) connections to mail server (.3)
/sbin/ipchains -A br0 -s 0.0.0.0/0 -d 192.1.1.3 25  -p tcp -y -j ACCEPT
# Accept SSH (port 23) connections to Linus (.2)
/sbin/ipchains -A br0 -s 0.0.0.0/0 -d 192.1.1.2 23 -p tcp -y -j ACCEPT

# Pass client's DNS lookups
/sbin/ipchains -A br0 -b -s 192.1.1.0/24 -d 0.0.0.0/0 53 -p tcp -y -j ACCEPT
/sbin/ipchains -A br0 -b -s 192.1.1.0/24 -d 0.0.0.0/0 53 -p udp -j ACCEPT
# Allow our machines to make outgoing connections
/sbin/ipchains -A br0 -s 192.1.1.0/24 -d 0.0.0.0/0 -j ACCEPT
# Allow responses to what we send out
/sbin/ipchains -A br0 -s 0.0.0.0/0 -d 192.1.1.0/24 -p tcp ! -y -j ACCEPT
# pass all ICMP packets
/sbin/ipchains -A br0 -s 0.0.0.0/0 -d 0.0.0.0/0 -p ICMP -y ACCEPT

# Block everything else
/sbin/ipchains -A br0 -s 0.0.0.0/0 -d 0.0.0.0/0 -j DENY

<--- End file

Hope this helps.

-< Christopher P. Gill >-< Senator, Class of 2002>-< chris@grass.org >-
---------< Rensselaer Polytechnic Institute - Troy, New York >---------
---< "I'm very well acquainted with the seven deadly sins, I keep a >--
-----------< busy schedule, just trying to fit them in." >-------------
-------------------< -Warren Zevon, Mr. Bad Example >------------------

-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux