[ale] Ipchains question

Robert Heaven robertheaven at mediaone.net
Wed Jun 27 20:27:13 EDT 2001 

Ipchains questionThe packet filter logic will exit at the point when it gets
a match. When you have a general DENY followed by a general ACCEPT, the
packet filter exits on the DENY and the ACCEPT is never tested. The way you
have this set up, when it matches on the ICMP packet type it dumps the
packet and exits immediately. The trick is to have a selective ACCEPT before
the general DENY. i.e.

    ipchains -A input -p icmp -i eth0 -s $MY_SUBNET/$MY_NETMASK -d
0.0.0.0/0 -j ACCEPT
    ipchains -A input -p icmp -i eth0 -s 0.0.0.0/0 -d 0.0.0.0/0 -j DENY

This way only pings from your home router (or your neighbors if you have a
cable modem) can be accepted by the packet filter.

>----- Original Message -----
>From: Chris Fowler
>To: 'ale at ale.org'
>Sent: Wednesday, June 27, 2001 6:56 PM
>Subject: [ale] Ipchains question
>
>
>ipchains -A input -p icmp -j DENY
>Will deny all icmp packet to my system.
>ipchains -A input -p icmp -j ACCEPT
>will not turn back on allowing of those packets.
>What did I do wrong?
>Thanks,
>Chris Fowler

Below is my complete ipchains script that I run out of /etc/rc.d/rc.local
===============================================
#!/bin/sh
SUBNET=`netstat -rn | grep ^24 | awk '{print $1}'`
NETMASK=`netstat -rn | grep ^24 | awk '{print $3}'`

# Setting up Firewall packet filtering
ipchains -F input
ipchains -F output
ipchains -F forward
ipchains -A input -p all -i eth0 -s 10.0.0.0/8 -d 0.0.0.0/0 -j DENY
ipchains -A input -p all -i eth0 -s 127.0.0.0/8 -d 0.0.0.0/0 -j DENY
ipchains -A input -p all -i eth0 -s 192.168.0.0/16 -d 0.0.0.0/0 -j DENY
ipchains -A input -p all -i eth0 -s 172.16.0.0/16 -d 0.0.0.0/0 -j DENY
ipchains -A input -p all -i eth0 -s 192.168.100.0/255.255.255.0 -d
0.0.0.0/0 -j DENY
ipchains -A input -p icmp -i eth0 -s $SUBNET/$NETMASK -d 0.0.0.0/0 -j ACCEPT
ipchains -A input -p icmp -i eth0 -s 0.0.0.0/0 -d 0.0.0.0/0 -j DENY
ipchains -A input -p tcp -i eth0 -y -j DENY -l
ipchains -A input -p tcp -i eth0 -s 0.0.0.0/0 -d 0.0.0.0/0 1:1023 -j DENY
ipchains -A input -p udp -i eth0 -s 0.0.0.0/0 -d 0.0.0.0/0 1:1023 -j DENY

# Setting up IP Masquerading
ipchains -P forward DENY
ipchains -A forward -p all -s 192.168.100.0/255.255.255.0 -d 0.0.0.0/0 -j
MASQ
echo 1 > /proc/sys/net/ipv4/ip_forward


--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list