[ Bloke.com || Linux || JavaScript || Java || Volleyball || Link Me ]
Free: [ Guestbook || MessageBot || Plugins || Counter || AusPrices || Advertise ]
www.bloke.com

Home - Linux - Firewall - IPChains

/etc/sysconfig/ipchains says: Don't touch this file??? What are you supposed to use?

This file is /etc/sysconfig/ipchains. When you are done making changes, run /etc/rc.d/init.d/ipchains restart (as root)

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 443 -p tcp -y -j ACCEPT
#rsh
#-A input -s 0/0 -d 0/0 514 -p tcp -y -j ACCEPT
#dns
#-A input -s 0/0 -d 0/0 53 -p tcp -y -j ACCEPT
#-A input -s 0/0 -d 0/0 53 -p udp -j ACCEPT
#ntp
-A input -s 0/0 -d 0/0 123 -p udp -j ACCEPT
#web
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
#ftp
-A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT
#ssh
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT
#nfs
-A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
#nfs
-A input -p udp -s 0/0 -d 0/0 2049 -j REJECT
#icq or something like that
-A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT
#xfs
-A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT
#mysql
-A input -p tcp -s 66.28.32.0/255.255.255.0 -d 0/0 3306 -y -j ACCEPT
-A input -p tcp -s 0/0 -d 0/0 3306 -y -j REJECT
To add a tcp port that you want to allow external connection use:
-A input -s 0/0 -d 0/0 xxx -p tcp -y -j ACCEPT
Where xxx is the port you want to allow. For UDP use:
-A input -s 0/0 -d 0/0 xxx -p udp -j ACCEPT

To figure out what port you want to open out, check out /etc/services. Some of the ports not obvious. ssh is port 22, dns is port 53.

Note that I had to add the line for mysql, cause by default the port is not protected. The line

#mysql
-A input -p tcp -s 66.28.32.0/255.255.255.0 -d 0/0 3306 -y -j ACCEPT
-A input -p tcp -s 0/0 -d 0/0 3306 -y -j REJECT
should allow access to all 66.28.32.xxx machines, and reject all the others.

Done for sending porn!
I dialed up today to find that my account was "stopped". A quick call to ozemail, and they say it was stopped by the accounts department (making it sound like I hadn't paid, but he didn't sound convincing). More investigation yields that it was stopped cause I was sending porn spam. "No I'm not", was the knee jerk reaction, but after I thought about it I remember that some bastard had used my laptop as a relay! A little while later it was all solved, although I think ozemail could have at least tried to contact me first.

Here is the entry I changed in my firewall to stop incoming requests (port 25, smtp):

#turn off incoming email vi smtp
#-A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
i.e., I just commented out the line. Not too long ago, I had been playing with qmail, and had configured it to allow any recipients (which I now can't figure out how to put back). At the time, I figured I would just do it for a test and would put the file back. I never did, and just a few weeks later, the bastards used me as a relay. I feel so used ...

Last Change: Monday, 10-Jan-2005 07:41:03 EST

Disclaimer

The information provided within these pages is provided AS IS, and without any warranty. Following these directions may (but not limited to) crash your computer, delete all the information on your hard disk, open up security holes or cause your house to burn down. I made these pages to provide some information about the setup that I have done, but I did not proofread it for correctness, and in most cases did not test it. There are commands in these pages that would definately delete or corrupt all the data on your computer (especially the dualboot section). In fact it happened to me.... So you are on your own!


Cameron Gregory