[ale] ipchains firewall rules

Robert Heaven robertheaven at mediaone.net
Thu Sep 21 14:33:58 EDT 2000 

Here's a copy of my home firewall ipchain rules for your use... or not...

#!/bin/sh

# Setting up Firewall packet filtering

ipchains -F input
ipchains -F output
ipchains -F forward

ipchains -A input -p all -i eth0 -s 10.0.0.0/8 -d 0.0.0.0/0 -j DENY
ipchains -A input -p all -i eth0 -s 127.0.0.0/8 -d 0.0.0.0/0 -j DENY
ipchains -A input -p all -i eth0 -s 192.168.0.0/16 -d 0.0.0.0/0 -j DENY
ipchains -A input -p all -i eth0 -s 172.16.0.0/16 -d 0.0.0.0/0 -j DENY
ipchains -A input -p all -i eth0 -s 192.168.100.0/255.255.255.0 -d
0.0.0.0/0 -j DENY

ipchains -A input -p icmp -i eth0 -s 24.88.62.0/255.255.254.0 -d
0.0.0.0/0 -j ACCEPT
ipchains -A input -p icmp -i eth0 -s 0.0.0.0/0 -d 0.0.0.0/0 -j DENY

ipchains -A input -p tcp -i eth0 -s 0.0.0.0/0 -d 0.0.0.0/0 1:1023 -j DENY
ipchains -A input -p udp -i eth0 -s 0.0.0.0/0 -d 0.0.0.0/0 1:1023 -j DENY

ipchains -A input -p tcp -i eth0 -s 0.0.0.0/0 -d 0.0.0.0/0 10000 -j DENY
ipchains -A input -p udp -i eth0 -s 0.0.0.0/0 -d 0.0.0.0/0 10000 -j DENY

ipchains -A input -p tcp -i eth0 -y -j DENY -l

# Setting up IP Masquerading

ipchains -P forward DENY
ipchains -A forward -p all -s 192.168.100.0/255.255.255.0 -d 0.0.0.0/0 -j
MASQ
echo 1 > /proc/sys/net/ipv4/ip_forward


----- Original Message -----
From: Wandered Inn <esoteric at atlnet.com>
To: ale at ale.org
To: Atlanta Linux Enthusiasts <ale at ale.org>
Sent: Thursday, September 21, 2000 1:18 PM
Subject: Re: [ale] ipchains firewall rules


> Blake Sorensen wrote:
> >
> > There is also a web based interface for generating
> > firewall rules base don that book at:
> > http://www.linux-firewall-tools.com/linux/firewall/
>
> I guess I'm the paranoid type, but I've been fumbling with this for a
> few months now.  I've got the Linux Firewalls book, but I've also been
> reading through the various HOWTOs as well as:
>
> Firewalls and Internet Security (Repelling the Wily Hacker)
> Cheswick/Bellovin - Addison-Wesley (dated, but has some good stuff, and
> isn't as dry as some)
>
> Building Internet Firewalls Zwicky/Cooper/Chapman - O'Reilly
>
> Maximum Linux Security Anonymous - Sams
>
> There was a reference recently on this list to a couple of articles on
> http://rootprompt.org/ which I've started to take a look at.  Look in
> the sidebar for Fortress Building, or something like that.
>
> Yet, I still don't have the warm and fuzzies yet.  I'm still dial up and
> I still knock my connection down each evening. :)
>
> I was just now successful in implementing port forwarding through my
> firewall to another machine that serves as my webserver. :)
>
>
> >
> > Very helpful to me.
> >
> > --
> > Blake Sorensen
> >
> > --- Thompson Freeman <tfreeman at intel.digichem.net>
> > wrote:
> > >
> > > "Linux Firewalls" by Robert Ziegler may leave you
> > > with warm fuzzies about
> > > your firewall. If not - I'm certain you will be much
> > > closer to your goal.
> > >
> > > On Thu, 21 Sep 2000, Pete Hardie wrote:
> > >
> > > > Hello all,
> > > >
> > > > I've been trying to find info on setting up a good
> > > firewall, and the
> > > > big sticking point is what is a good ruleset for
> > > ipchains.  I've looked
> > > > at the HOWTOs for ipchains, firewall, and ipmasq,
> > > but they do not quite
> > > > cover it in a manner that reaches me well enough
> > > to give me the warm
> > > > fuzzies about my home firewall.
> > > >
> > > > Does anyone have a pointer to a good, clearly
> > > explained set of ipchains
> > > > rules for a home firewall, with/without internal
> > > DNS/mail servers?
> > > >
> > > > Thanks.
> > > >
> > > >
> > >
> > > --
> > > ===========================================
> > > The harder I work, the luckier I get.
> > >                     Lee Iocca
> > > ===========================================
> > > Thompson Freeman          tfreeman at digichem.net
> > >
> > > --
> > > To unsubscribe: mail majordomo at ale.org with
> > > "unsubscribe ale" in message body.
> > >
> > >
> > >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Send instant messages & get email alerts with Yahoo! Messenger.
> > http://im.yahoo.com/
> > --
> > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message
body.
>
> --
> Until later: Geoffrey esoteric at denali.atlnet.com
>
> Microsoft != Innovation
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message
body.

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list