Find the answer to your Linux question:
Results 1 to 2 of 2
Hi everybody. Below is my ipchains rules which i use for my gateway machine My set follows as given below Eth1 = External ip (ex:88.88.88.8 Internet interface Eth0 = Internal ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2008
    Posts
    1

    Exclamation ipchains


    Hi everybody.
    Below is my ipchains rules which i use for my gateway machine
    My set follows as given below

    Eth1 = External ip (ex:88.88.88.8 Internet interface
    Eth0 = Internal Ip (192.168.5.1) Lan interface
    The internal subnet is 192.168.5.0/24


    Here is my updated rules.As you can see i have placed the smtp related rules above

    # allow traffic originating internally
    ipchains -A output -j ACCEPT -s 88.88.88.88/32 -d 0/0 -p tcp -i eth1

    ipchain rule for blocking smtp works fine and successfully block all outgoing smtp port25.
    Purpose half served, but not able to unblock from these two ip's which is essentially to send out mails

    To your info i am not fully proficient with ipchains and do the needfull by being specific

    Please pin point at what i am going wrong to ublock smtp port for those two ips
    Thanking you all in advance

    tnx


    #!/bin/sh

    # Flush Rules
    ipchains -F forward
    ipchains -F output
    ipchains -F input

    # Set default to deny all
    ipchains -P input DENY
    ipchains -P output REJECT
    ipchains -P forward DENY

    #ICMP REDIRECT PROTECTION
    #possible alteration of routing tables if left open
    for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    /bin/echo "0" > ${interface}
    done

    #IP_SPOOFING PROTECTION
    #assymettirc routed packets will fail
    #who cares anyways
    for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
    /bin/echo "1" > ${interface}
    done

    # Enable packet forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # FTP masq
    #/sbin/modprobe ip_masq_ftp


    # Add Rules
    ipchains -A input -i lo -j ACCEPT
    ipchains -A output -i lo -j ACCEPT

    # prevent spoofed packets from outside
    ipchains -A input -s 192.168.5.0/24 -i eth1 -j DENY -l
    ipchains -A input -s 127.0.0.0/8 -i ! lo -j DENY -l

    # DENY DNS from outside
    ipchains -A input -j DENY -l -s 0/0 -d 88.88.88.88 53:53 -p udp -i eth1

    #SMTP Blocked except a few IP's
    ipchains -A output -j ACCEPT -p tcp --dport 25 -d 192.168.5.51
    ipchains -A output -j ACCEPT -p tcp --dport 25 -d 192.168.5.52
    ipchains -A output -j DENY -p tcp --dport 25

    # first add list of blocked addresses from file
    for bad_addr in `cat /root/firewall/blacklist | awk '{ print $2 }'`; do
    ipchains -A input -j DENY -l -s $bad_addr -d 88.88.88.88/32 -p all -i eth1
    ipchains -A input -j DENY -l -s 192.168.5.0/24 -d $bad_addr -p all -i eth0
    done

    # Ping
    # we need to ping outside
    ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 -p icmp --icmp-type echo-reply -i eth1
    ipchains -A output -j ACCEPT -d 0/0 -p icmp --icmp-type echo-request -i eth1

    # but outside cannot ping us )
    ipchains -A input -j DENY -s 0/0 -d 88.88.88.88/32 -p icmp --icmp-type echo-request -i eth1
    ipchains -A output -j DENY -d 0/0 -p icmp --icmp-type echo-reply -i eth1

    # allow ping from internal network
    ipchains -A output -j ACCEPT -s 0/0 -d 192.168.5.0/24 -p icmp -i eth0
    ipchains -A input -j ACCEPT -s 192.168.5.0/24 -d 0/0 -p icmp -i eth0

    # VOIP
    # Allow udp to ciscoata UDP ports 69, 5060,5061,5062 10000-10800
    # dont know the server from which traffic originates.
    # That stupid idiot at the VOIP provider doesn't know himself. @&&#o1e
    ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 -p udp -i eth0

    #ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 69:69 -p udp -i eth0
    #ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 5060:5062 -p udp -i eth0
    #ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 10000:11500 -p udp -i eth0
    ipchains -A output -j ACCEPT -p udp -i eth0

    ipchains -A input -j ACCEPT -s 0/0 -p udp -i eth1
    #ipchains -A input -j ACCEPT -s 0/0 69:69 -p udp -i eth1
    #ipchains -A input -j ACCEPT -s 0/0 5060:5062 -p udp -i eth1
    #ipchains -A input -j ACCEPT -s 0/0 10000:11500 -p udp -i eth1
    ipchains -A output -j ACCEPT -p udp -i eth1

    # Accept all but port 21 to 23 to and from internal net
    # matrix genesis and neo allows all
    # Im the ******* sysadmin.
    ipchains -A input -j ACCEPT -p tcp -s 192.168.5.3 -d 0/0 21:23 -i eth0
    ipchains -A input -j ACCEPT -p tcp -s 192.168.5.50 -d 0/0 21:23 -i eth0
    ipchains -A input -j ACCEPT -p tcp -s 192.168.5.51 -d 0/0 21:23 -i eth0
    ipchains -A input -j ACCEPT -p tcp -s 192.168.5.150 -d 0/0 21:23 -i eth0
    #ipchains -A input -j ACCEPT -p tcp -s 192.168.5.10 -d 0/0 21:23 -i eth0
    ipchains -A input -j ACCEPT -p tcp -s 192.168.5.15 -d 0/0 21:23 -i eth0
    ipchains -A input -j ACCEPT -p tcp -s 192.168.5.9 -d 0/0 21:23 -i eth0
    ipchains -A input -j ACCEPT -p tcp -s 192.168.5.25 -d 0/0 21:23 -i eth0
    ipchains -A input -j ACCEPT -s 192.168.5.0/24 -d 0/0 -i eth0
    ipchains -A output -j ACCEPT -s 0/0 -d 192.168.5.0/24 -i eth0


    # allow traffic originating internally
    ipchains -A output -j ACCEPT -s 88.88.88.88/32 -d 0/0 -p tcp -i eth1
    ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 -p tcp ! -y -i eth1

    # DNS
    ipchains -A output -j ACCEPT -s 88.88.88.88/32 -d 0/0 53:53 -p udp -i eth1
    ipchains -A input -j ACCEPT -s 0/0 53:53 -d 88.88.88.88/32 -p udp -i eth1

    # Forward /Masq internal network
    for host_addr in `cat /root/firewall/hostlist`; do
    ipchains -A forward -j MASQ -s $host_addr -d 0.0.0.0/0
    done

    ipchains -A forward -s 192.168.5.0/24 -d 0.0.0.0/0 -j MASQ

    ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 80:80 -p tcp -i eth1
    ipchains -A output -j ACCEPT -s 88.88.88.88/32 80:80 -d 0/0 -p tcp ! -y -i eth1

    ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 110:110 -p tcp -i eth1
    ipchains -A output -j ACCEPT -s 88.88.88.88/32 110:110 -d 0/0 -p tcp ! -y -i eth1

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Question, why are you using ipchains and not iptables?
    Ipchains is old school.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •