Solved

firewall question

Posted on 1998-11-11
3
257 Views
Last Modified: 2010-03-18
I'm trying to filter something out but I have som problems.
I don't want my machine to ansver to ping but I like to be able to ping others How do I fix that. Then I like to filter out almost everyting under port 1024 eccept ftp, www, ssh, auth so i added this:

/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 :20 -j ACCEPT  
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 :21 -j ACCEPT  
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 :22 -j ACCEPT  
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 :25 -j ACCEPT  
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 :137 -j ACCEPT
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 :138 -j ACCEPT
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 :139 -j ACCEPT      
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 :113 -j ACCEPT  
/sbin/ipchains -A input -p UDP -s 0.0.0.0/0 :635 -j ACCEPT  
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 :1024 -j REJECT

But now I can't log in using ssh on port 22. How can I solve this???
0
Comment
Question by:wqclatre
  • 2
3 Comments
 
LVL 1

Expert Comment

by:canacar
ID: 1587650
Well, there are a couple of things here ...

1. since you are using ipchains, I assume you are using the 2.1.x development kernel
    else you should have patched your 2.0.x kernel (see IPCHAINS HOWTO) to support
    ipchains

2. to filter out ping requests, use -p icmp -s 0/0 8 (echo request)
    this does not block ping replies. Are you sure you really want to block ping
    (ok, there are ping based denial of service attacks, but I think (but have not looked it           up) latest kernels have code to protect you from such attacks...

3. your filtering rules are all wrong!

    first of all, you are giving a port range at each step, ':' at the start means
    from port 0 to the given port.

    you are filtering based on SOURCE ports.
    you should have rules like -p TCP -d <interface address> port -j ACCEPT
    type filters based on destination port (i.e. ports on your machine, where services
    are listening)

     therefore, if you have placed a default deny-all rule, you are not, in fact, enabling
     any ports, which may be why ssh (or any other service) is working.

5. Since I am not using ipchains, and have no facility to test what i have written
    I am posting it as a comment, based on ipchains-HOWTO, and basic TCP/IP
    knowledge.Try these (and try to read the HOWTO) and let me know how it came out
 
0
 
LVL 2

Author Comment

by:wqclatre
ID: 1587651
Thanks. Now it works fine. One question. You asked if I was sure that I wanted to filter out ping. Can you give mi an exampel why I don't should do that???

Mark the question as answerd...
0
 
LVL 1

Accepted Solution

by:
canacar earned 50 total points
ID: 1587652
Well...

although you will not lose anything if you disable ping
(i do not know any tools or protocols that depend on ping)

it is a tool for determining if your computer is alive,
and for testing out network problems (along with traceroute)

I, as a system admin, would be irritated if a computer
with an open connection to my server would not respond to
my ping requests. And I would possibly look for routing problems.

so if you are using dial-up networking, and your machine is on the net
for brief amounts of time, it is not a problem if you disable ping or not
but for a computer on a LAN it is an admins nightmare...

hope this helps...

0

Featured Post

Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now