Okay. Thanks for all ya'll's replies. More questions.
This seems to work, but it doesn't seem to work with masquerading. Here's
my setup:
internet
|
|
linux box (redhat 7.0)
| (1.2.3.4/255.255.255.0, eth1)
| (10.0.0.254/255.0.0.0, eth0)----->local network (below)
|
|
clients on lan (10.0.0.101 - 10.0.0.199, netmask 255.0.0.0)
On the Linux box, I would like to run a bunch of services (http, ssh, ftp,
etc.). But I don't want any of those services to show up from a portscan
from the internet. However, on the localnet I of course want all those
services to be enabled. Also, the internal network needs NAT (ipmasq) to
the internet through this linux box.
I would also like to allow select services (http and ftp) to be available to
select internet IP addresses. I've gotten some help on this part, but I
think I need the above working before I can get this to work.
Also, I know there is the ipchains HOWTO. Read that. I know there is
"securing and optimizing rh linux" book. I've read the ipchains and
firewalling sections of that too. I must be retarded.
To give you a clue of how clueless I am, here's some of the things I've
tried so far:
echo "Enabling firewall and NAT..."
I=/sbin/ipchains
ML=/sbin/modprobe
$I -F
$I -P forward DENY
$I -A forward -s 10.0.0.0/8 -j MASQ
$ML ip_masq_ftp
$ML ip_masq_icq
$ML ip_masq_portfw
$ML ip_masq_autofw
ipchains -A input -s 10.0.0.0/8 -j ACCEPT
ipchains -A input -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
ipchains -A input -s 10.0.0.0/8 -d 65.0.81.146/24 -j ACCEPT
ipchains -A input -s 216.65.146.134/24 -j ACCEPT
ipchains -A input -s 216.65.146.134/24 -d 10.0.0.0/8 -j ACCEPT
ipchains -A input -s 216.65.146.134/24 -d 65.0.81.146/24 -j ACCEPT
ipchains -P input DENY
#instead of denying everyone, try specific deny.
ipchains -A input -i eth1 -p tcp -s 0.0.0.0/0 -d 65.0.81.146/24 80 -j DENY
Again, thanks for all your help.
Dan Browning
Network & Database Administrator
Cyclone Computer Systems
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Drew Hunt
> Sent: Wednesday, October 11, 2000 6:55 AM
> To: [EMAIL PROTECTED]
> Subject: RE: Firewall configuration question: httpd appears to some ip
> addresses, but to others
>
>
> Try this in your firewall script:
>
> --------------------------------------
> UNPRIVPORTS="1024:65535"
>
> #deny policy for all IPs on port 80
> ipchains -P input DENY
>
> #another way specific to 80
> ipchains input -i <external interface: e.g. eth0> -p tcp -s
> 0.0.0.0/0 -d \
> <local IP address> 80 -j DENY
>
> #allowing specific IPs to port 80
> ipchains input -i <external interface> -p tcp -s <allowed IP
> address> \
> $UNPRIVPORTS -d <local IP address> 80 -j ACCEPT
>
> ipchains output -i <external interface> =p tcp ! -y -s <local
> IP address> \
> 80 -d <allowed IP address) $UNPRIVPORTS -j ACCEPT
> -------------------------------------------
>
> You will need to repeat the set of ACCEPT lines for every IP
> you want to
> allow, unless you are looking to add a range. If so, use the
> subnet mask
> (e.g. 192.168.0.0/16, I think that's correct) instead of the other
> computer's IP address. This method is less secure, but convenient.
>
> Drew
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Dan Browning
> Sent: Monday, October 09, 2000 11:52 AM
> To: [EMAIL PROTECTED]
> Subject: Firewall configuration question: httpd appears to some ip
> addresses, but to others
>
>
> I would like to setup httpd server (port 80), but only allow
> the port to
> appear as 'open' for certain ip addresses--for all others I
> would like it to
> be appear closed. I bet this can easily be done with a few ipchains
> commands, does anyone have any hints?
>
> Environment: RedHat 7.0, dual zeon, Cable net access.
>
> I'm still learning ipchains. Thanks for the help.
>
> Dan Browning
> Network & Database Administrator
> Cyclone Computer Systems
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
>
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
