Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Scaricare il pdf (Pagina 25)

# request is blocked, ie we won't respond to someone else's pings,

# but can still ping out.

$IPCHAINS −A input −p icmp −−icmp−type echo−reply \

−s $ANYWHERE −i $WAN_IFACE −j ACCEPT

$IPCHAINS −A input −p icmp −−icmp−type destination−unreachable \

−s $ANYWHERE −i $WAN_IFACE −j ACCEPT

$IPCHAINS −A input −p icmp −−icmp−type time−exceeded \

−s $ANYWHERE −i $WAN_IFACE −j ACCEPT

###################################################################

# Set the catchall, default rule to DENY, and log it all. All other

# traffic not allowed by the rules above, winds up here, where it is

# blocked and logged. This is the default policy for this chain

# anyway, so we are just adding the logging ability here with '−l'.

# Outgoing traffic is allowed as the default policy for the 'output'

# chain. There are no restrictions on that.

$IPCHAINS −A input −l −j DENY

echo "Ipchains firewall is up `date`."

##−− eof ipchains.sh

To use the above script would require that it is executable (i.e. chmod +x ipchains.sh), and run by

root to build the chains, and hence the firewall.

To summarize what this example did was to start by setting some shell variables in the top section, to be used

later in the script. Then we set the default rules (ipchains calls these "policies") of denying all inbound and

forwarded traffic, and of allowing all our own outbound traffic. We had to open some holes in the high,

unprivileged ports so that we could have return traffic from connections that bigcat initiates to outside

addresses. If we connect to someone's web server, we want that HTML data to be able to get back to us, for

instance. The same applies to other network traffic. We then allowed a few specific types of the ICMP

protocol (most are still blocked). We are also logging any inbound traffic that violates any of our rules so we

know who is doing what. Notice that we are only using IP address here, not hostnames of any kind. This is so

that our firewall works, even in situation where there may be DNS failures. Also, to prevent any kind of DNS

spoofing.

See the ipchains man page for a full explanation of syntax. The important ones we used here are:

−A input: Adds a rule to the "input" chain. The default chains are input, output, and

forward.

−p udp: This rule only applies to the "UDP" "protocol". The −p option can be used with

tcp, udp or icmp protocols.

−i $WAN_IFACE: This rule applies to the specified interface only, and applies to

whatever chain is referenced (input, output, or forward).

−s <IP address> [port]: This rule only applies to the source address as specified. It

can optionally have a port (e.g. 22) immediately afterward, or port range, e.g. 1023:4999.

Security Quick−Start HOWTO for Red Hat Linux

5.2.1. ipchains 22

1 2 ... 20 21 22 23 24 25 26 27 28 29 30 ... 81 82

Nessun commento

Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Pagina 25