I am building a Linux router for my DSL connection. I have got it to masquerade my LAN with the following ipchains commands (dumbly copied from a tutorial):
ipchains -M -S 7200 10 160
ipchains -P forward DENY
ipchains -A -s 192.168.0.0/255.255.255.0 -j MASQ

This works.
Now I'd like to know how I get it to become a fairly secure firewall. I have the ipchains HOWTO, so actually USING ipchains won't be the problem, just what to do with it.

And btw, what does ipchains -M -S 7200 10 160 mean? I know it's something about timeouts, but what exactly? 7200 seems quite much for a timeout to me, if it is measured in seconds...


fsvara

check out: http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/cHTML/TrinityOS-c-10.html#ss10.7

try typing: man ipchains @ your command line

you can find it there.....

but I can also tell you:

-M : for saying that you want to set an
masuerading option

-S : is for setting timeout values
-S <tcp> <tcpfin> <udp>

So your setting the following timeouts:

tcp : 7200 Secs = 2 hours
tcpfin : 10 Secs (end package of an tcp-sesion)
udp : 60 Secs

So if you start an tcp-session it will stay open for 2 hours if you do nothing, but when you close the session correct(sending a fin packet) it will close after 10 secs.

an started udp session times out after 1 min. of inactivty

About strong firewalling, you can use :

# Set standard input-policy DENY
#
ipchains -P input DENY

# read as : input rule;
# all proto's entering at intdev (eth0 or eth1)
# going anywhere is valid
#
ipchains -A input -p all -i <intdev> -s 0/0 -d 0/0 -j ACCEPT

# Same as above, only all proto's entering
# at extdev going anywhere, get lost !!

ipchains -A input -p all -i <extdev> -s 0/0 -d 0/0 -j DENY

futhermore there are many sites containing demo scripts for all types of firewalls

Hope you can do something with it