TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ipchains script
Here is my ipchains script. It allows smtp and web from anywhere. telnet
and ftp from trusted hosts, ssh from anywhere, but #ed out.
To connect to an ssh server via ssh (version 1) you need port 1023 open.
Anyone know anything about port numbers above 1024? Which ones I can block
and which ones I can't. netstat -an |grep LISTEN shows only port 5680
being listened to that it above 1022. Anyway, hopefully this script will
give people a useful start when writing thier ipchains filtering rules.
If you have any suggestions, etc, please send 'em my way.
Ben Luey
lueyb@carleton.edu
ICQ: 19144397
I'd a helluva lot rather have them talking about this than the fact the fact we
are the party of the rich and that prices are high. This story is not helpful
but, to the average guy, whether the Republicans bugged the Democrats doesn't
mean a goddamned thing. It means something to intellectuals. It means something
to people who are concerned about repression and credibility and all that
bullshit. But the average guy is chewing his pretzel."
-- Richard Nixon about Watergate.
#!/bin/sh
IFACE=eth0
ALL=0.0.0.0/0
YOURNET=137.22.96.160
TRUST=137.22.96.0/255.255.0.0
# Clear all old stuff in ipchains
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
#no packets from intranet ip's or your ip on internet device
/sbin/ipchains -A input -p all -j DENY -s 10.0.0.0/8 -i $IFACE -d $ALL
/sbin/ipchains -A input -p all -j DENY -s 127.0.0.0/8 -i $IFACE -d $ALL
/sbin/ipchains -A input -p all -j DENY -s 192.168.0.0/16 -i $IFACE -d $ALL
/sbin/ipchains -A input -p all -j DENY -s 172.16.0.0/16 -i $IFACE -d $ALL
/sbin/ipchains -A input -p all -j DENY -s $YOURNET -i $IFACE -d $ALL
#no forward
/sbin/ipchains -P forward DENY
#allow stuff
/sbin/ipchains -A input -p tcp -j ACCEPT -s $ALL -i $IFACE -d $YOURNET 25
/sbin/ipchains -A input -p tcp -j ACCEPT -s $ALL -i $IFACE -d $YOURNET 80
/sbin/ipchains -A input -p tcp -j ACCEPT -s $TRUST -i $IFACE -d $YOURNET 20:21
/sbin/ipchains -A input -p tcp -j ACCEPT -s $TRUST -i $IFACE -d $YOURNET 23
#/sbin/ipchains -A input -p tcp -j ACCEPT -s $ALL -i $IFACE -d $YOURNET 22
#no to everything else
/sbin/ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $IFACE -d 0.0.0.0/0 1:1022
/sbin/ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -i $IFACE -d 0.0.0.0/0 1:1022