On Tue, 2002-02-26 at 04:52, Steve Holmes wrote: > I know, but as soon as I make default policy to DENY on the input chain, > all connectivity to the outside is lost. Here was a basic set of rules at > my last test. > ipchains -P input DENY > ipchains -A input -i lo -j ACCEPT > ipchains -A input -i eth0 -j ACCEPT > ipchains -P forward DENY > ipchains -A forward -s 192.168.1.0/24 -j MASQ > ipchains -P output -j ACCEPT > Now at this point I tried adding something like > ipchains -A input -i eth1 -p ! -y --dport 1025:65535 -j ACCEPT > to the chains with no change; At this point, I can get around fine on the > local area network but from any machine inside or the firewalled machine > itself, I cannot ping anything other than the DNS itself. That is > interesting in itself. My Static ip is 24.221.98.238 and the dns is > 24.221.30.3 and I cn ping that with no trouble but I cannot ping other IP > address in other network address ranges. Not sure why that be the case. > All other protocols are "no go". ---- Is your sprint broadband subnet mask correct? does 'cat /etc/sysconfig/network' list... GATEWAYDEV = "eth1" GATEWAY = "ip_address_for_gateway_supplied_by_Sprint" ? ---- > > Just messing around, but as soon as I added a rule like > ipchains -A input -i eth1 -j ACCEPT > then it was wide open. that makes sense to me and is what I would expect. > So at least ipchains is recognizing the network devices. I do find it > interesting that ipchains -L did not specifically mention the device > names. It showed ----lo but the entries that should have been eth0 and > eth1 showed up as ------. Shouldn't it have shown the eth devices > clearly? > --- the devices involved are picked by the routing tables... route -n which should list the network address for your internal lan, the network address for your public ip, the loopback adaptor, and the last entry is for your gateway - all addresses other than those within the two network defined by your ip addresses and subnet masks bound to the nic's. I would think that ipchains possibly doesn't have to have the interfaces specifically called out except that it might slow the rule sets down to omit them. also note - that the order of the chain rules might impact how they are treated - if a packet runs into a rule that is deny/reject before accept or the default policy - it will act on that rule and that rule alone. Best way to learn is to absorb someone else's first and then play with it - which is why I gave you the URL to David Ranch's rulesets. Therefore, if you want to play with things...make a file - called reset-ipchains...chmod to 700 (executable) and have it do something like... #!/bin/sh /sbin/ipchains -P input ACCEPT /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward ACCEPT /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward (this will flush all chains - reset policy back to default - a good starting point) Then create another file...in psuedo code but similar to reset-ipchains above... first set all policies then flush all rulesets then do input rules then do output rules then do forward rules (masquerade) Craig