Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

setting up ipchains

Status
Not open for further replies.
cleansedbb

cleansedbb

Technical User
Feb 11, 2002
95
US
I have set up my ipchains as the following
my question is, am I blocking the Bad IP's right?
i.e. will
-A input -s 152.163.0.0/16 -d 0/0 -p tcp -y -j DENY
block 152.163.0.0-152.163.255.255
and should I move my deny ports up or leave them
at the bottom? I tried setting
:input DENY
:forward DENY
:eek:utput DENY
but it wouldnt let me do anything to an outside address
even if I setup rules to allow it.

running nmap on the local pc I show that 80,22,111,6000 are the only ports open.
yet running a superscan from an external pc I show 80-83 8080, 1080, 110, 25, 21, 22, 389, etc...
none of which I can connect to but ports 80 and 22 which are supposed to be open.


so heres what I have now:

#########################################################
:input ACCEPT
:forward ACCEPT
:eek:utput ACCEPT
######
# allow http/ssh/local
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
######
# block sunrpc/X
-A input -s 0/0 -d 0/0 6000:6009 -p tcp -y -j DENY
-A input -s 0/0 -d 0/0 111 -p tcp -y -j DENY
######
# block bad ip (aol)
-A input -s 152.163.0.0/16 -d 0/0 -p tcp -y -j DENY
-A input -s 152.163.0.0/16 -d 0/0 -p udp -j DENY
-A input -s 152.163.0.0/16 -d 0/0 -p icmp -j DENY
######
# block all
-A input -s 0/0 -d 0/0 -p tcp -y -j DENY
-A input -s 0/0 -d 0/0 -p udp -j DENY
-A input -s 0/0 -d 0/0 -p icmp -j DENY
 
Sort by date Sort by votes
My preference would be to block all and tben only permit what you require - that way, there's no worry of anything 'creeping in'.

A good tool to use is:


as is the rest of the site...

It'll generate a hugh and complex ipchains script but even if you don't use it, it's a really good study aid - so to speak.
 
Upvote 0 Downvote
Hi,

Your rules are a little confused - what you do is first choose the default you prefer, i.e. do you allow everything by default or deny everything ? The '-P' flag indicates these default policies - e.g. :

/sbin/ipchains -P input DENY
/sbin/ipchains -P output DENY
/sbin/ipchains -P forward DENY

You then only need to code the exceptions, i.e. the rules that ACCEPT the packets you want to allow if you default to DENY or REJECT. Obviously the reverse also applies - you only need to code DENY or REJECT rules if your default is to ACCEPT.

See -->
Regards
 
Upvote 0 Downvote
the chain i posted was autogenerated with lokkit, I used the site posted aboved and it works a lot better.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mjj4golf2
  • Locked
  • Question
Help with setting up a media server
Replies
2
Views
203
vacunita
vacunita
daniel.warner
  • Locked
  • Question
Desperately need help setting up wildcard certs on Apache/Tomcat
Replies
2
Views
229
daniel.warner
daniel.warner
macrun95
  • Locked
  • Question
I had a cifs mount blow up and now
Replies
0
Views
88
macrun95
macrun95
chieftan
  • Locked
  • Question
Copying log files out to back up server
Replies
5
Views
150
IPGuru
IPGuru
bobspero
  • Locked
  • Question
SNMP .conf file or setting mib folder?
Replies
0
Views
66
bobspero
bobspero

Part and Inventory Search

Sponsor

Back
Top