Pakrat
04-09-2001, 04:28 PM
I posted this on another forum and didn't get any response. I guess it was too specific of a question.
I was looking through the older posts about firewalls and came across a post from ****. Looking at the post, it's a little long. I was wondering if it would be quicker to put in a simple set of rules to only accept connections on eth1 from eth0.
http://www.coyotelinux.com/phorum/read.php?f=1&i=3638&t=3565
/sbin/ipchains -F
/sbin/ipchains -P forward DENY
/sbin/ipchains -M -S 6000 120 300
/sbin/ipchains -A input -j DENY -d 0.0.0.0/0 23 -l -i eth1 -p tcp
/sbin/ipchains -A output -p tcp -d 0.0.0.0/0 22 -t 0x01 0x10
/sbin/ipchains -A input -i eth1 -s 10.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -d 10.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -s 172.16.0.0/12 -j DENY
...goes into a LOT of input -i eth1 -s xxx.0.0.0/8 -j DENY's
I assume the eth1 is the local side and you do not want to allow external addresses to be sent directly to the internal side, but would it be quicker to just say:
If from eth0, allow, if not from eth0 deny? pros/cons?
And could someone write up the actual command. I saw it in a HOWTO, but I can't seem to find it now.
hmm, this is very close to what I remember... anyone?
/sbin/ipchains -A input -i eth0 -d 192.168.0.0/16 -j ACCEPT
/sbin/ipchains -A input ! -i eth0 -d 192.168.0.0/16 -j DENY
/sbin/ipchains -A input -i eth1 -s 192.168.0.0/16 -j ACCEPT
/sbin/ipchains -A input ! -i eth1 -s 192.168.0.0/16 -j DENY
Another question, would blocking broadcasts on a cable modem be a good idea or a bad idea? Saw this in another HOWTO.
/sbin/IPCHAINS -A input -i eth0 -s 0.0.0.0/0 -d 255.255.255.255/32 -j DENY
I was looking through the older posts about firewalls and came across a post from ****. Looking at the post, it's a little long. I was wondering if it would be quicker to put in a simple set of rules to only accept connections on eth1 from eth0.
http://www.coyotelinux.com/phorum/read.php?f=1&i=3638&t=3565
/sbin/ipchains -F
/sbin/ipchains -P forward DENY
/sbin/ipchains -M -S 6000 120 300
/sbin/ipchains -A input -j DENY -d 0.0.0.0/0 23 -l -i eth1 -p tcp
/sbin/ipchains -A output -p tcp -d 0.0.0.0/0 22 -t 0x01 0x10
/sbin/ipchains -A input -i eth1 -s 10.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -d 10.0.0.0/8 -j DENY
/sbin/ipchains -A input -i eth1 -s 172.16.0.0/12 -j DENY
...goes into a LOT of input -i eth1 -s xxx.0.0.0/8 -j DENY's
I assume the eth1 is the local side and you do not want to allow external addresses to be sent directly to the internal side, but would it be quicker to just say:
If from eth0, allow, if not from eth0 deny? pros/cons?
And could someone write up the actual command. I saw it in a HOWTO, but I can't seem to find it now.
hmm, this is very close to what I remember... anyone?
/sbin/ipchains -A input -i eth0 -d 192.168.0.0/16 -j ACCEPT
/sbin/ipchains -A input ! -i eth0 -d 192.168.0.0/16 -j DENY
/sbin/ipchains -A input -i eth1 -s 192.168.0.0/16 -j ACCEPT
/sbin/ipchains -A input ! -i eth1 -s 192.168.0.0/16 -j DENY
Another question, would blocking broadcasts on a cable modem be a good idea or a bad idea? Saw this in another HOWTO.
/sbin/IPCHAINS -A input -i eth0 -s 0.0.0.0/0 -d 255.255.255.255/32 -j DENY