Firewall question.

I nead some help with my firewall rules.

I have 2 machines connected to internet.
Each machine have 2 network cards and are connected to a local net through eth1.

I like to filter out everything on eth0 eccept. samba, mail, www, ftp, ident, ssh, icq, quake (on port 27500 and 28000). I like to filter out ping but I like to be able to ping other machines. (and I like my other machine to be able to ping me)

Than I have a machine ( which are connectet to internet through my machine (ip-masquerading). Now I wounder how to set up those rules  with ip-chains.

I don't understand the howto so well. I have started with those rules:

/sbin/ipchains -A input -s echo-request -p icmp -j ACCEPT
/sbin/ipchains -A input -s echo-request -p icmp -j ACCEPT
/sbin/ipchains -A input -s echo-request -p icmp -j ACCEPT
/sbin/ipchains -A input -s y.y.y.y/32 echo-request -p icmp -j ACCEPT
/sbin/ipchains -A input -s 0/0 echo-request -p icmp -j REJECT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :80 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :20 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :21 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :22 -j ACCEPT    
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :25 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :137 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :138 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :139 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :113 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :512 -j ACCEPT
/sbin/ipchains -A input -s evil-crackur/32 -j REJECT
/sbin/ipchains -A input -s evil-crackur/32 -j REJECT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :1024 -j REJECT

echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/ipchains -A forward -j MASQ -s -d
/usr/sbin/ipmasqadm autofw -A -p tcp 8000
/usr/sbin/ipmasqadm autofw -A -p tcp 8020
/usr/sbin/ipmasqadm autofw -A -p tcp 8021
/usr/sbin/ipmasqadm autofw -A -p tcp 8022    

x.x.x.x is the ip-number of my machine (eth0) . y.y.y.y is the ip of eth0 of my other machine.

10.0.0.x is the numbers of my local net.
I like to filter out all udp that is not needed. (not dns) to my eth0 . I get many  unvanted connections to my portmap. And I like only the 10.0.0.x machines to be able to connect to my portmap.

How do I set this up. What have I forgotten. How many more rules do I need to get my machine quite safe? Is my rules abowe ok?

Can some one help me settting up my rules???

Is /etcrc.d/rc.local a good place to put the rules in?
Who is Participating?
I maintain a large firewall that handles the traffic for 3 T1's at our office and does accounting for it.  Your rule set is very complex, but I do the same thing for my hosts.  I have read your configuration and have a few comments to make on it.

First of all: be sure you know that any incoming packet comes into the firewall system and moves down the list of rules until it reaches a rule that matches it.  It is then handled based on that rule and forgotten (except for the packet # and byte counter which are updated).

To configure your network first start like this
ipchains -P input -j DENY

This will force all input to be denied by default.  Then you can start adding the rules that you wish to the chains.  To do this use the
ipchains -I input ......
command.  This inserts the new chain above the others, so it will override the others below it.

Your question is worded vaguely, but from what I can understand you need to only open up a few ports on this machine and need to masquerade for the other hosts.

As for your rules you are using all of them correctly, but I should note on a few things I see that might cause problems:

When you are specifying a port to accept to just do it like this -d x.x.x.x port[:port] .
If you use the : flag you are saying allow the ports between port1:port2 and allow connections on port1 and port2 as well.  No netmask is needed for single hosts.

For your masquerading I am unsure if the ipmasqadm will work w/ ipchains, but I don't think it does.  It looks like you are forwarding the traffic on the ports to another IP address on your internal network, I am not sure how this is handled but I will look into it for you.

I have included a basic command for a rule below so you can see how to set it up.

ipchains -I input -p icmp|tcp|udp -s 0/0 -d x.x.x.x/32 -j ACCEPT|DENY

A lot of your rules have no source address, which is recommended even if it 0/0.  Hope this helps you.
maybe an easier way to work that out are the /etc/hosts.deny and /etc/hosts.allow files.
You can setup wanted/unwanted connections in those, for example you can add in /etc/hosts.deny ALL: ALL and setup the wanted services in /etc/hosts.allow (for example ALL: LOCAL (or and ALL: <the IP of your other machine> and <service (for example in.telnetd or http)>: ALL EXCEPT <ip mask> and so on..
really useful and easier than the firewall buisness. I reckon that a well setup firewall is only needed for people with a complete paranoia and/or a BIG network.

wqclatreAuthor Commented:
Well, I'm paranoid! I still like to set up a firewall....
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

wqclatreAuthor Commented:
BTW! how do do I filter out ping with /etc/hosts.deny???
I'm tired of smurf-ping.
Not used ipchains, but if it's anything like ipfwadm, a rule starting A is an accounting rule, you propably want to use F for firewall/forward. Try that !
host.deny aint going to help you when the traffic is passing through the box and it does not involve any service on the unit.

Firewall rules look like Accounting to me.
wqclatreAuthor Commented:
-A means add to chain. And -F means flush (Delete all rules in  chain or all chain) and that's defenitly not what I want to do.
For most, if not all services you will need two way filters. i.e. you can send a packet out and generally you will need to allow the return packet. I'm not familiar with ipchains, but you probably need to allow echo-reply from the host you want to ping to the host you ping from. Also it's best to allow in anything to a port number above 1024 from allowed services (i.e. 80/23/20/21/25 etc.) as this will be the response to web transfer, telnet etc. You can see this if you telnet to a machine and run netstat, it will show you the ports in use both ends.
wqclatreAuthor Commented:
I don't think it's a good idea to alow telnet. And If I fiterout everything exxept 80/23/20/21/25 the DNS doesn't work and I don't think that it's so good. And why shall I alow ports over 1024 ?
When does they need them? Isn't it a good idea to filterout X11 connections? Well I think that i found out most of my problems but I'm not sure if my rules is ok (Now I have more rules than abowe). I have a big problem. I can't do a ls / . I can do a ls anywhere else. What can this problem be? What shall I allow?

The port numbers mentioned were intended as an example,not a recommendation on what to allow. With regard to ports above 1024, these are outgoing ports from the client, which then become incoming for responses from the server. Ie. web transfer goes out to port 80 on the server, from the next available outgoing port number, e.g 1031. Then the webserver sends data back from it's port 80 to your port 1031, hence you need to allow this data through or you'd never see any web pages. The most secure way of filtering is to deny everything, then build up services that you need. If you don't need X11, filter it although I'm not sure on port numbers etc, I think it uses icmp packets, but don't quote me. What is your problem with ls, surely this is not related to IP filters ? Maybe another question is in order with more details, after awarding me the points of course !!
wqclatreAuthor Commented:
Well.. the problem is related to the ip-filter because it works when I flush the chains and doesn't work otherwise. (or it works but not in the /  I can do a ls /home but not a ls /)
(I have some more rules than those abowe.
you can find a fine script for firewalling and masquerading
using ipchains at:

it addresses almost all of your questions (except the remote ping bit)
and seems quite customizable

if you think that firewall will prevent smurf forget it. You'll revceive all packets and this will stop transimiting them back. But who cares your incoming link is full.
wqclatreAuthor Commented:
Well... it was a long time ago since I asked thsi question and I think I've solved all my problems already but thanks.
wqclatreAuthor Commented:
You don't mean
ipchains -A input -p icmp|tcp|udp -s 0/0 -d x.x.x.x/32 -j ACCEPT|DENY ?
Nope, you need -I, this way you're inserting rules above the others, this way if you do a global accept for a host and then put in a deny the deny overrides the accept.  If you did a -A you will accept the packet because you're appending that deny rule to the bottom where it won't be examined.
Can someone please tell me how to redirect traffice from the outside to the inside.  I have x.x.x.x on the outside and on the inside.  I want to redirect x.x.x.4/xx to  Can someone help?

wqclatreAuthor Commented:

use ipmasqadm

/usr/sbin/ipmasqadm portfw -a -P tcp -L Q.X.Y.Z 8000 -R 80 -p 1

Forwards port 8000 on q.x.y.z to port 80 on

You can alos use redir (or uredir for udp) (search on freshmeat)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.