Ipchains Woes

Patrick Fleming EA plug-discuss@lists.plug.phoenix.az.us
Thu, 28 Feb 2002 07:47:06 -0700 (MST) 

On Wed, 27 Feb 2002, Steve Holmes wrote:

> More developments.  I took the same script I put in a previous message and
> added the line:
> ipchains -A input -p udp --dport 1024:65535 -j ACCEPT
> Now everything seem to work from the inside point of view.
> 
> One question now, that sounds awfully wide open to me.  I'm not familiar
> enough with a complete map of tcp and udp ports to know what is safe to
> have open and which should be closed.  The obvious ones, I don't allow in
> unless I specifically want them like ftp, telnet, ssh, mail(25), pop3,
> imap, etc.  I understand them well but these upper ports are more unknown
> to me.  I open them up and I get responses from DNS lookups and the other
> stuff works.
> 
> Does this all make sense?  Should I pare down the upper ports?
> 
> In summary, the scripts that open things up is as follows:
> ipchains -A input -p tcp ! -y --dport 1024:65535 -j ACCEPT
> ipchains -A input -p udp --dport 1024:65535 -j ACCEPT
> (Assuming no typos here).

You can reduce this by allowing only from 'trusted' ports. ie add 
--sport 20,21,53,80, etc.
If I remember right, you will have to add a line for each port that you 
want to trust from in ipchains. This will reduce the number of machines that 
can attempt to contact you directly. iptables allows a multiport switch so 
this is all on one line in my tables scripts.

Note that iptables, once you learn it and your kernel supports it, 
requires far fewer lines in the script to accomplish more. There are lots 
of similar commands in iptables and scripts don't take too much time to 
modify once you're ready to switch.

> 
> Appreciate the help thus far; we're getting there.  Once I get this
> finally worked out, I'm gonna stick this into the endoshield script which
> has a lot of neet options and that script will work with ipchains and
> iptables when I go to iptables later on.
> 
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 

-- 
Patrick Fleming, EA
Licensed to represent taxpayers
before Exam, Appeals, and Conference 
divisions of the IRS