Re: [SLUG] ipchains stuff

[Minh Van <mle@nospam.mail.usyd.edu.au>]

> as i've spent days mucking around with ipchains and still seem to muck
> things up.

what exactly is it that you're having problems with ?

> i thought i'd ask a few questions to clarify my ideas on ipchains and
> how it should best be set up in a particular situation.
> 
> is the following a good way to think about the ipchains rules?
> 
> define a new chain name.
> ipchains -N dmz-bad
> 
> define the new chain route/direction of packets.
> ie. if going from ip - from interface - to ip - jumpto dmz-bad.
> ipchains -A input -s 1.2.3.4 -i eth0 -d  5.6.7.8 -j dmz-bad
> 
> define the rules for the ports in dmz-bad
> ipchains -A dmz-bad -p tcp --sport 80 --dport 80 -j ACCEPT
> 
> does this make sense or is there a hole somewhere? disregarding the
> default rules of course.

that looks right. ipchains has a top-down approach to filtering packets,
or atleast ipchains 1.3.5 has. you really have to think about what you
want to do from the top, and then to the bottom.

you might want to 'ipchains -A -s 0/0 -d 0/0 -j DENY -l' at the end of
each new define to catch what's left over. 

i usually filter out ports first (rather than by ip) in the input chain. 
starting from general stuff to more complex filtering towards the bottom. 

--
SLUG - Sydney Linux Users Group Mailing List - http://www.slug.org.au
To unsubscribe send email to slug-request@nospam.slug.org.au with
unsubscribe in the text