firewall rules
David A. Sinck
plug-discuss@lists.plug.phoenix.az.us
Wed, 10 Apr 2002 13:18:07 -0700
\_ SMTP quoth Charlie Bullen on 4/10/2002 12:58 as having spake thusly:
\_
\_ Hi Iv'e created a set of firewall rules (my first attempt,
\_ ipchains). I want to be able to serve webpages, access the server
\_ remotley via ssh and allow 2 computers FTP access. I don't want
\_ anyone or anythng else to go in or out of the server. This is
\_ running on RedHat 7.2
Ok, drop ipchains and go iptables; they are a lot more flexible and
fun than ipchains.
\_ Here are the rules
\_
\_ :input ACCEPT
\_ :forward ACCEPT
\_ :output ACCEPT
If you really mean nothing else in or out, change the default policies
to DROP.
\_ -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
\_ -A input -s 63.226.xxx.xxx -d 0/0 20 -p tcp -y -j ACCEPT
\_ -A input -s 63.226.xxx.xxx -d 0/0 21 -p tcp -y -j ACCEPT
\_ -A input -s 63.226.yyy.yyy -d 0/0 20 -p tcp -y -j ACCEPT
\_ -A input -s 63.226.yyy.yyy -d 0/0 21 -p tcp -y -j ACCEPT
\_ -A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
\_ -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
\_ -A input -s 63.226.zzz.zzz 53 -d 0/0 -p udp -j ACCEPT
\_ -A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
\_ -A input -s 0/0 -d 0/0 -p udp -j REJECT
You're overlooking icmp and possibly other protocols, which you might
or might not want to block.
\_ Will the above do what I want it to do? Is what I want to do secure?
It'll make some forms of ftp fun when you're sucking to the box.
You need to allow all traffic to port 22 (not just syn packets) if you
want ssh to get past the initial handshake :-).
I'd specify port ranages for the ftp rules, eg:
-A input -s 63.226.yyy.yyy -d 0/0 20:21 -p tcp -y -j ACCEPT
and collapse the rules a bit.
David