[Linuxtrent] Re: Ipchains (lunghetto... sorry)

• From: jclark <jclark@xxxxxxxxxxxxx>
• To: linuxtrent@xxxxxxxxxxxxx
• Date: Wed, 24 Apr 2002 12:18:12 +0200

>
>
> ----------------------------------- cut ------------------------------------
> #!/bin/sh
>
> # enable ip forwarding
> echo "1" > /proc/sys/net/ipv4/ip_forward
> # setup the basic here, all denied except
> # the traffic on the loopback interface...
> $IPCHAINS -A input -i lo -j ACCEPT
> $IPCHAINS -A output -i ! lo -j ACCEPT
> $IPCHAINS -A forward -j DENY

se metti a deny il forward la rete interna non puo' uscire la devi mettere a 
masq

ti metto di seguito le regole che uso io in ditta gli ip sono fittizi, per
comodita' usai all'epoca gfcc


#!/bin/sh
# Generated by Gtk+ firewall control center

IPCHAINS=/sbin/ipchains


localnet="192.168.2.0/24"
firewallhost="192.168.2.241/32"
Any="0.0.0.0/0"
localhost_localdomain="127.0.0.1/32"
firewall="222.82.20.198/32"
firewall="192.168.2.241/32"

$IPCHAINS -P input ACCEPT
$IPCHAINS -P forward MASQ
$IPCHAINS -P output ACCEPT

$IPCHAINS -F
$IPCHAINS -X

# input rules
$IPCHAINS -A input -p icmp -s $Any 8 -d $Any -i eth0 -j REJECT -l
$IPCHAINS -A input -p icmp -s $Any 8 -d $Any -i eth0 -j DENY -l
$IPCHAINS -A input -p tcp -s 141.202.215.12/32 ftp -d 192.168.2.0/24 ftp -i eth0
-j ACCEPT
$IPCHAINS -A input -p tcp -s 141.202.215.12/32 ftp-data -d 192.168.2.0/24
ftp-data -i eth0 -j ACCEPT
$IPCHAINS -A input -s 192.168.2.0/24 -d 192.168.2.0/24 -i eth0 -j DENY
$IPCHAINS -A input -s 10.0.0.0/32 -d 192.168.2.0/24 -i eth0 -j DENY
$IPCHAINS -A input -p tcp -s 197.150.234.98/32 -d $firewall ssh -i eth0 -j 
ACCEPT

$IPCHAINS -A input -p tcp -s $Any tcpmux:chargen -d firewall -i eth0 -j DENY
$IPCHAINS -A input -p tcp -s $Any 26:finger -d firewall -i eth0 -j DENY
$IPCHAINS -A input -p tcp -s $Any 81:pop2 -d firewall -i eth0 -j DENY
$IPCHAINS -A input -p tcp -s $Any sunrpc:118 -d firewall -i eth0 -j DENY
$IPCHAINS -A input -p tcp -s $Any 120:6666 -d firewall -i eth0 -j DENY
$IPCHAINS -A input -p tcp -s $Any 6668:65535 -d firewall -i eth0 -j DENY
$IPCHAINS -A input -p udp -s $Any 1:51 -d firewall -i eth0 -j DENY
$IPCHAINS -A input -p udp -s $Any 54:65535 -d firewall -i eth0 -j DENY
$IPCHAINS -A input -p icmp -s $Any 1:65535 -d firewall -i eth0 -j DENY


# forward rules
$IPCHAINS -A forward -s 192.168.2.0/24 -d $Any -i eth1 -j MASQ

# output rules
$IPCHAINS -A output -s 192.168.2.0/24 -d $Any -i eth1 -j ACCEPT

con queste semplici stringhe noi in ditta lavoriamo bene pero' per essere sicuro
se chiedi a Diaolin, Ghilardini e Ianez che sono quelli che mi insegnarono
all'epoca sicuramente sapranno darti spiegazioni chiare ed esaurienti molto
meglio di quanto mai possa fare io.
cordialita'
--
Mario Vittorio Guenzi
Zincometal S.p.A.
c.so Europa Str.prov 34
20010-Inveruno (MI)
tel: 02-979661
fax: 02-97966351
E-mail jclark@xxxxxxxxxxxxx
http://www.zincometal.com
Si vis pacem, para bellum


-- 
PROSSIMA ASSEMBLEA: lunedi 29 Aprile 2002 ore 20:45
Per iscriversi  (o disiscriversi), basta spedire un  messaggio con SOGGETTO
"subscribe" (o "unsubscribe") a mailto:linuxtrent-request@xxxxxxxxxxxxxxxxx

• Follow-Ups:
  • [Linuxtrent] Re: Ipchains (lunghetto... sorry)
    • From: neugens

• References:
  • [Linuxtrent] Ipchains (lunghetto... sorry)
    • From: neugens

Other related posts:

• » [Linuxtrent] Ipchains (lunghetto... sorry)
• » [Linuxtrent] Re: Ipchains (lunghetto... sorry)
• » [Linuxtrent] Re: Ipchains (lunghetto... sorry)

1. Home
2. linuxtrent
3. Archive
4. 04-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---