Solved

ipchains

Posted on 2001-07-24
5
370 Views
Last Modified: 2013-12-16
I've read a few books already about "ipchains" However, when I configure my firewall script using the examples in a few books (obviously substituting the author's info with my info), it never works. If I open up the firewall completely, it works and internet connection sharing is no problem. But when I try to lock down the system the way I see in the books, it never works. Does anyone have a good ipchains example that works with Redhat 6.x and on a box that utilizes DHCP from the ISP? Thanks mucho...

0
Comment
Question by:jackiethejokeman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 4

Expert Comment

by:garisoain
ID: 6315775
Hey there...

sure... What you need exactly?

what are you doing now?
what are you trying to do?

a good start is the Ipchains-HOWTO:
http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html
=)
0
 
LVL 1

Accepted Solution

by:
fobzz earned 50 total points
ID: 6316211
IPCHAINS are easy to understand once you get the "jist" of commands you need for the script. Just remember this... there are only two chains: "input" and "output" chain. Now, you can accept, deny, or filter whatever packet enters, leaves, or passes through an IP address(s)/Network card(s). Check out this link for a really easy discription of what you should know about IPCHAINS: http://www.linuxplanet.com/linuxplanet/tutorials/2100/3/
It is a little easier to understand for most people.

Another thing I would recommend is upgrading to IPTABLES or upgrading to a newer distribution with IPTABLES. IPTABLES have much more functionality to it, yet similar configurations as IPCHAINS. If you are interested, please feel free to check out this link:
http://www.linuxnewbie.org/nhf/intel/security/iptables_basics.html
It has some additional links for more indepth information.

I hope I helped.........................................
0
 
LVL 4

Expert Comment

by:garisoain
ID: 6317410
Well, there aren't only 2 chains... by default there are 3: INPUT, OUTPUT, and FORWARD, and you can create all the chains you want to make your firewall as CUSTOM as possible, AND you can do more than 'Accept, Deny or Filter' (even when these are the 3 main choices).

I agree that IPTABLES is a better firewall implementation than IPCHAINS, but in order to use IPTABLES you need to upgrade your kernel to 2.4.x, and several other packages, unless you install a Distro that includes a 2.4.x kernel.

just to comment.

-garisoain
0
 
LVL 1

Expert Comment

by:fobzz
ID: 6319119
That is true...thanks for clarifying that, it was a little late when I posted that. I was just trying to explain to "jackiethejokeman" just the basics to build on. I forgot about the foward chain.
0
 
LVL 5

Expert Comment

by:paulqna
ID: 6319247
The way I use ipchains with my "dhcp provider" was to accept allow only connections to the local network (example 195.195.0.0) to be made:

like :

# Begin ipchains script
#
# Closing all interfaces
#
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
#
# Allow lo interface (REQUIRED!)
#
ipchains -A input -j ACCEPT -i lo
ipchains -A output -j ACCEPT -i lo
#
# Allow 10.10.10.0 subnet. (FULL ACCESS)
#
ipchains -A input -j ACCEPT -s 10.10.10.0/24 -d 10.10.10.0/24 -i eth0
ipchains -A output -j ACCEPT -s 10.10.10.0/24 -d 10.10.10.0/24 -i eth0
#
# Open http (FOR Example)
#
ipchains -A input -j ACCEPT -p tcp -s 0.0.0.0/0 80:80 \
-d 195.195.0.0/16 1024:5000 -i ppp0
ipchains -A output -j ACCEPT -p tcp -s 195.195.0.0/16 1024:5000 \
-d 0.0.0.0/0 80:80 -i ppp0
#
# End ipchains script

instead of using my ppp0 host ip.

Doing this your linux machine can only connect to ip adresses starting with 10.10.10 and browse to the rest of the world(network).
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network Interface Card (NIC) bonding, also known as link aggregation, NIC teaming and trunking, is an important concept to understand and implement in any environment where high availability is of concern. Using this feature, a server administrator …
Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question