Ipchains Woes
Patrick Fleming EA
plug-discuss@lists.plug.phoenix.az.us
Tue, 26 Feb 2002 07:53:00 -0700 (MST)
On Tue, 26 Feb 2002, Steve Holmes wrote:
> I know, but as soon as I make default policy to DENY on the input chain,
> all connectivity to the outside is lost. Here was a basic set of rules at
> my last test.
> ipchains -P input DENY
> ipchains -A input -i lo -j ACCEPT
> ipchains -A input -i eth0 -j ACCEPT
> ipchains -P forward DENY
> ipchains -A forward -s 192.168.1.0/24 -j MASQ
> ipchains -P output -j ACCEPT
> Now at this point I tried adding something like
> ipchains -A input -i eth1 -p ! -y --dport 1025:65535 -j ACCEPT
Upon further thinking following a later response I *think* that you need
to add tcp after the -p.
ipchains -A input -i eth1 -p tcp ! -y --dport 1025:65535 -j ACCEPT
It has been a while since I messed with ipchains. I was forced (my
own fault) to upgrade to iptables after a kernel recompile. Tables, IMO,
is far easier to configure once you get your mind wrapped around the
changes. I have far fewer rules, tables is stateful and works beautifully.
--
Patrick Fleming, EA
Licensed to represent taxpayers
before Exam, Appeals, and Conference
divisions of the IRS