• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 299
  • Last Modified:

firewall question

I'm trying to filter something out but I have som problems.
I don't want my machine to ansver to ping but I like to be able to ping others How do I fix that. Then I like to filter out almost everyting under port 1024 eccept ftp, www, ssh, auth so i added this:

/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 :20 -j ACCEPT  
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 :21 -j ACCEPT  
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 :22 -j ACCEPT  
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 :25 -j ACCEPT  
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 :137 -j ACCEPT
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 :138 -j ACCEPT
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 :139 -j ACCEPT      
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 :113 -j ACCEPT  
/sbin/ipchains -A input -p UDP -s 0.0.0.0/0 :635 -j ACCEPT  
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 :1024 -j REJECT

But now I can't log in using ssh on port 22. How can I solve this???
0
wqclatre
Asked:
wqclatre
  • 2
1 Solution
 
canacarCommented:
Well, there are a couple of things here ...

1. since you are using ipchains, I assume you are using the 2.1.x development kernel
    else you should have patched your 2.0.x kernel (see IPCHAINS HOWTO) to support
    ipchains

2. to filter out ping requests, use -p icmp -s 0/0 8 (echo request)
    this does not block ping replies. Are you sure you really want to block ping
    (ok, there are ping based denial of service attacks, but I think (but have not looked it           up) latest kernels have code to protect you from such attacks...

3. your filtering rules are all wrong!

    first of all, you are giving a port range at each step, ':' at the start means
    from port 0 to the given port.

    you are filtering based on SOURCE ports.
    you should have rules like -p TCP -d <interface address> port -j ACCEPT
    type filters based on destination port (i.e. ports on your machine, where services
    are listening)

     therefore, if you have placed a default deny-all rule, you are not, in fact, enabling
     any ports, which may be why ssh (or any other service) is working.

5. Since I am not using ipchains, and have no facility to test what i have written
    I am posting it as a comment, based on ipchains-HOWTO, and basic TCP/IP
    knowledge.Try these (and try to read the HOWTO) and let me know how it came out
 
0
 
wqclatreAuthor Commented:
Thanks. Now it works fine. One question. You asked if I was sure that I wanted to filter out ping. Can you give mi an exampel why I don't should do that???

Mark the question as answerd...
0
 
canacarCommented:
Well...

although you will not lose anything if you disable ping
(i do not know any tools or protocols that depend on ping)

it is a tool for determining if your computer is alive,
and for testing out network problems (along with traceroute)

I, as a system admin, would be irritated if a computer
with an open connection to my server would not respond to
my ping requests. And I would possibly look for routing problems.

so if you are using dial-up networking, and your machine is on the net
for brief amounts of time, it is not a problem if you disable ping or not
but for a computer on a LAN it is an admins nightmare...

hope this helps...

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now