[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Ipchains rule set
- Subject: [cobalt-security] Ipchains rule set
- From: "Robbert Hamburg \(HaVa Web- & Procesdesign\)" <user@xxxxxxx>
- Date: Fri, 11 Apr 2003 22:01:49 +0200
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hello All,
Playing around with ipchains (thanks for the pkg bruce !! ;-)) now. And I
am wondering if someone who has a succesfull rule set configured is willing
to share it.
Any tips, pointers and hints are welcome also.
i have some but i wonder if i am complete.
Offlist is also very welcome.
Thanks Robbert
this is what i have now.
# TCP
# serve ftp for passive clients _ONLY_
ipchains -A input -i eth0 -p tcp --destination-port 21 --syn -j ACCEPT -l
# serve ssh - 22
ipchains -A input -i eth0 -p tcp --destination-port 22 --syn -j ACCEPT -l
# serve smtp - 25
ipchains -A input -i eth0 -p tcp --destination-port 25 --syn -j ACCEPT
# serve http - 80
ipchains -A input -i eth0 -p tcp --destination-port 80 --syn -j ACCEPT
# serve https admin - 81
ipchains -A input -i eth0 -p tcp --destination-port 81 --syn -j ACCEPT -l
# Server https
ipchains -A input -i eth0 -p tcp --destination-port 443 --syn -j ACCEPT
# serve pop3 - 110
ipchains -A input -i eth0 -p tcp --destination-port 110 --syn -j ACCEPT
# disallow SYN on all else
ipchains -A input -i eth0 -p tcp --syn -j DENY -l
# allow existing TCP sessions to continue
ipchains -A input -i eth0 -p tcp -j ACCEPT
# UDP
# DNS response
ipchains -A input -i eth0 -p udp --source ns1.domain.com 53 -j ACCEPT
ipchains -A input -i eth0 -p udp --source ns2.domain.com 53 -j
ACCEPT
# ICMP allowed
ipchains -A input -i eth0 -p icmp -j ACCEPT
# disallow all else
ipchains -A input -i eth0 -j DENY -l
--
This message has been scanned for viruses and
dangerous content by HaVa.nl MailScanner, and is
believed to be clean.