----- Original Message ----- From: "Pete Nesbitt" <pete@xxxxxxxxx> To: "Duncan" <drack@xxxxxxxxxx>; "General Red Hat Linux discussion list" <redhat-list@xxxxxxxxxx> Sent: Wednesday, July 21, 2004 6:59 AM Subject: Re: IPCHAINS > On July 19, 2004 11:23 pm, Duncan wrote: > > > On July 19, 2004 12:00 am, Duncan wrote: > > > > Still this simple firewall is not allowing traffic from me ISP and the > > > > CLIENT but traffic on the LAN is flowing , all i want to do is allowa > > > > traffic from me to the client , the client has squid so there is no > > > > need for masquarading .Hw do i do that with tis firewall. > > > > > > > > # Setting default to deny all > > > > /sbin/ipchains -P input DENY > > > > /sbin/ipchains -P output DENY > > > > /sbin/ipchains -P forward DENY > > > > > > > > > > > > #allowing localhost > > > > /sbin/ipchains -A input -j ACCEPT -p all -s localhost -d localhost > > > > -i > > > > lo > > > > > > /sbin/ipchains -A output -j ACCEPT -p all -s localhost -d localhost > > > > -i > > > > lo > > > > > > #Deny packets from internet claiming to be from localhost and log > > > > /sbin/ipchains -A input -j REJECT -p all -s localhost -i ppp0 -l > > > > > > > > #Deny packets that mimic internal IPs and log > > > > /sbin/ipchains -A input -j REJECT -p all -s clientLAN/24 -i ppp0 -l > > > > > > > > #Allow packets from ISP > > > > /sbin/ipchains -A input -j ACCEPT -p all -s ISPrange/24 -d > > > > ientLAN/24 -i ppp0 > > > > > > > > #Allow packets from LAN > > > > /sbin/ipchains -A output -j ACCEPT -p all -s client/24 -d > > > > ISPrange/24 -i > > > > > > ppp0 > > > > > > > > #Allow outgoing packets thru internal interface > > > > /sbin/ipchains -A input -j ACCEPT -p all -s clientLAN/24 -i eth0 > > > > /sbin/ipchains -A output -j ACCEPT -p all -s clientLAN/24 -i eth0 > > > > > > > > > ----- Original Message ----- > > > > > From: "Duncan" <drack@xxxxxxxxxx> > > > > > To: "General Red Hat Linux discussion list" <redhat-list@xxxxxxxxxx> > > > > > Sent: Friday, July 16, 2004 9:10 AM > > > > > Subject: IPCHAINS > > > > > > > > > > > > > > > would the following ipchains stop tcp connections from anyone else > > > > other > > > > > > > than iprange , the ips in LAN 195.167.2.0/24 > > > > > > > > > > /sbin/ipchains -F > > > > > /sbin/ipchains -P input -p tcp DENY > > > > > /sbin/ipchains -A input -p tcp -s iprange/24 -d > > > > 5.167.2.0/24 -j > > > > > > > ACCEPT > > > > > /sbin/ipchains -A input -p udp -s iprange/24 -d > > > > 5.167.2.0/24 -j > > > > > > > ACCEPT > > > > > /sbin/ipchains -A input -p icmp -s iprange/24 -d > > > > 5.167.2.0/24 -j > > > > > > > ACCEPT > > > > > > > > > > Please advice > > > > > > > > > > --------------------------- > > > > > Duncan Rack > > > > ----- Original Message ----- > > From: "Pete Nesbitt" <pete@xxxxxxxxx> > > To: "Duncan" <drack@xxxxxxxxxx>; "General Red Hat Linux discussion list" > > <redhat-list@xxxxxxxxxx> > > Sent: Tuesday, July 20, 2004 3:07 AM > > Subject: Re: IPCHAINS > > > > > Hi Duncan, > > > I'm not sure I understand the whole layout, but if you're using both ppp > > > > and > > > > > Ethernet, you will also need to add FORWARD rules to connect traffic > > > going between them (if needed). IPchains was a bit more involved than > > > IPtables > > > > is > > > > > because instead of just having a forward rule for routed packets, > > > IPchains requires you set an input->forward->output set of rules. > > > > > > You may be best to post the exact senario (who is on what interface and > > > > who > > > > > they need to talk to), as well as the whole rules script. > > > > > > Is there a reason you're using ipchains and not iptables? > > > -- > > > Pete Nesbitt, rhce > > > > Hi Pete, > > > > Thanks , the box has RH6.2 , i gues i am kinda of more familiar with > > ipchains. The whole idea is to allow the LAN to communicate thru the linux > > box with the ISP thru any ports and vice versa and then disallow traffic > > from ANY outsider . > > 1) The linux box already has squid and wat i dont know now is if i put > > forward rules , wont it mean there will be IP masquarading i.e every > > machine will be able to browse and do anything and hence complicate the > > firewall , more rules ,port specifications etc... > > 2) is there anything amiss with the firewall though? its working as far as > > the LAN but when it comes to communicating with the ISP ....NOTHING !!!! > > > > Please help!!! > > > Hi Duncan, > IP Masquarading is separate from the 'forward' routing rules. As long as your > internal networks IP's are valid IP's you can use on the INternet (i.e. you > own) and your ISP routes them for you, you don't need masqarading. There is > no difference on the LAN side of the firewall, as right now all machines > could browse the internet if forwarding in in place. So, no I don't think it > would complicate your firewall. > > So I see the network as this: > > LAN <ethernet> FW <ppp> ISP <-> Internet > > As long as the LAN boxes have the fw as default gateways, and the fw has the > PPP connection to the ISP as it's dfault gateway, you rules should be fine. > > You'll need to walk each connection thru the fw using an 'input, forward, > output' path. Your basic rules look like they will work once the 'paths' are > complete. Does your ISP range need to be allowed to initiate a session or is > that so you can get to them for proxy or something, if so you should set them > up to not allow syn packets inbound to your LAN. You may also want to add ssh > from your workstaion to the fw. > > Hope that helps. > -- > Pete Nesbitt, rhce Hi Pete, I guess i just have to try wat you are saying , it really does make sense . The thing is i just wanted the firewall to be so simpe that it would not involve much modifications in the future should someone want some changes. Thanks a million .Someone had said if u noticed that forwarding is not necessary .Thanks -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
