On July 19, 2004 11:23 pm, Duncan wrote: > > On July 19, 2004 12:00 am, Duncan wrote: > > > Still this simple firewall is not allowing traffic from me ISP and the > > > CLIENT but traffic on the LAN is flowing , all i want to do is allowa > > > traffic from me to the client , the client has squid so there is no > > > need for masquarading .Hw do i do that with tis firewall. > > > > > > # Setting default to deny all > > > /sbin/ipchains -P input DENY > > > /sbin/ipchains -P output DENY > > > /sbin/ipchains -P forward DENY > > > > > > > > > #allowing localhost > > > /sbin/ipchains -A input -j ACCEPT -p all -s localhost -d localhost > > > -i > > lo > > > > /sbin/ipchains -A output -j ACCEPT -p all -s localhost -d localhost > > > -i > > lo > > > > #Deny packets from internet claiming to be from localhost and log > > > /sbin/ipchains -A input -j REJECT -p all -s localhost -i ppp0 -l > > > > > > #Deny packets that mimic internal IPs and log > > > /sbin/ipchains -A input -j REJECT -p all -s clientLAN/24 -i ppp0 -l > > > > > > #Allow packets from ISP > > > /sbin/ipchains -A input -j ACCEPT -p all -s ISPrange/24 -d > > > ientLAN/24 -i ppp0 > > > > > > #Allow packets from LAN > > > /sbin/ipchains -A output -j ACCEPT -p all -s client/24 -d > > ISPrange/24 -i > > > > ppp0 > > > > > > #Allow outgoing packets thru internal interface > > > /sbin/ipchains -A input -j ACCEPT -p all -s clientLAN/24 -i eth0 > > > /sbin/ipchains -A output -j ACCEPT -p all -s clientLAN/24 -i eth0 > > > > > > > ----- Original Message ----- > > > > From: "Duncan" <drack@xxxxxxxxxx> > > > > To: "General Red Hat Linux discussion list" <redhat-list@xxxxxxxxxx> > > > > Sent: Friday, July 16, 2004 9:10 AM > > > > Subject: IPCHAINS > > > > > > > > > > > > would the following ipchains stop tcp connections from anyone else > > other > > > > > than iprange , the ips in LAN 195.167.2.0/24 > > > > > > > > /sbin/ipchains -F > > > > /sbin/ipchains -P input -p tcp DENY > > > > /sbin/ipchains -A input -p tcp -s iprange/24 -d > > 5.167.2.0/24 -j > > > > > ACCEPT > > > > /sbin/ipchains -A input -p udp -s iprange/24 -d > > 5.167.2.0/24 -j > > > > > ACCEPT > > > > /sbin/ipchains -A input -p icmp -s iprange/24 -d > > 5.167.2.0/24 -j > > > > > ACCEPT > > > > > > > > Please advice > > > > > > > > --------------------------- > > > > Duncan Rack > > ----- Original Message ----- > From: "Pete Nesbitt" <pete@xxxxxxxxx> > To: "Duncan" <drack@xxxxxxxxxx>; "General Red Hat Linux discussion list" > <redhat-list@xxxxxxxxxx> > Sent: Tuesday, July 20, 2004 3:07 AM > Subject: Re: IPCHAINS > > > Hi Duncan, > > I'm not sure I understand the whole layout, but if you're using both ppp > > and > > > Ethernet, you will also need to add FORWARD rules to connect traffic > > going between them (if needed). IPchains was a bit more involved than > > IPtables > > is > > > because instead of just having a forward rule for routed packets, > > IPchains requires you set an input->forward->output set of rules. > > > > You may be best to post the exact senario (who is on what interface and > > who > > > they need to talk to), as well as the whole rules script. > > > > Is there a reason you're using ipchains and not iptables? > > -- > > Pete Nesbitt, rhce > > Hi Pete, > > Thanks , the box has RH6.2 , i gues i am kinda of more familiar with > ipchains. The whole idea is to allow the LAN to communicate thru the linux > box with the ISP thru any ports and vice versa and then disallow traffic > from ANY outsider . > 1) The linux box already has squid and wat i dont know now is if i put > forward rules , wont it mean there will be IP masquarading i.e every > machine will be able to browse and do anything and hence complicate the > firewall , more rules ,port specifications etc... > 2) is there anything amiss with the firewall though? its working as far as > the LAN but when it comes to communicating with the ISP ....NOTHING !!!! > > Please help!!! Hi Duncan, IP Masquarading is separate from the 'forward' routing rules. As long as your internal networks IP's are valid IP's you can use on the INternet (i.e. you own) and your ISP routes them for you, you don't need masqarading. There is no difference on the LAN side of the firewall, as right now all machines could browse the internet if forwarding in in place. So, no I don't think it would complicate your firewall. So I see the network as this: LAN <ethernet> FW <ppp> ISP <-> Internet As long as the LAN boxes have the fw as default gateways, and the fw has the PPP connection to the ISP as it's dfault gateway, you rules should be fine. You'll need to walk each connection thru the fw using an 'input, forward, output' path. Your basic rules look like they will work once the 'paths' are complete. Does your ISP range need to be allowed to initiate a session or is that so you can get to them for proxy or something, if so you should set them up to not allow syn packets inbound to your LAN. You may also want to add ssh from your workstaion to the fw. Hope that helps. -- Pete Nesbitt, rhce -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
