Do something like:
# for initialisation - deny everything that will not be allowed later...
ipchains -P input DENY
ipchains -P forward DENY
ipchains -P output DENY
ipchains -F
# allow local things
ipchains -A input -j ACCEPT -i lo
ipchains -A output -j ACCEPT -i lo
# allow SSH connections from eth1 (and reply packets)
ipchains -A input -j ACCEPT -p tcp -i eth1 -s 0.0.0.0/0 1024: -d <IP of eth1> 22
ipchains -A output -j ACCEPT -p tcp -i eth1 -d 0.0.0.0/0 1024: -s <IP of eth1>
22
AFAIR you don't have to worry about response packets from masqueraded
connections. They will bypass the input and output chains.
For the timeout of masquerading see the -S option of ipchains. I think it is
not the best idea to make connections never time out (quite sure it is not
even possible) because you will eventually run out of port numbers. Just set
it to a reasonable high value - like one hour - don't know what the max is.
Tobias
On Sun, May 27, 2001 at 03:23:58PM -0500, Andrew Perrin wrote:
> I now have a DSL connection, and as such would like to use ipchains to do
> the following:
>
> 1.) Deny all incoming packets coming in on eth1 (the card connected to the
> DSL gateway) except those destined for port 22 (ssh) or ICMP packets, or
> of course packets responding to outgoing packets; and
>
> 2.) Make masqueraded connections from other machines on my private network
> never time out.
