I'm having a problem with ipchains. I wrote a simple script to apply my required rules in testing and allow me to build on it. I set up rules to allow incoming ftp, ssh, epl (my own server for testing), www (http), time, finger, and telnet. eth1 is the internet. eth0 is my internel network. What I would like to do is allow all packets from eth0, and allow only ftp, ssh, www, epl, time, telnet, and finger from the internet (eth1). Here is my rules script:

# !/bin/sh
ipchains -F
ipchains -P input DENY
ipchains -A input -p tcp -i ! eth1 -j ACCEPT
ipchains -A input -p tcp -d 0/0 ftp -j ACCEPT
ipchains -A input -p tcp -d 0/0 20 -j ACCEPT
ipchains -A input -p tcp -d 0/0 ssh -j ACCEPT
ipchains -A input -p tcp -d 0/0 www -j ACCEPT
ipchains -A input -p tcp -d 0/0 epl -j ACCEPT
ipchains -A input -p tcp -d 0/0 time -j ACCEPT
ipchains -A input -p tcp -d 0/0 telnet -j ACCEPT
ipchains -A input -p tcp -d 0/0 finger -j ACCEPT
ipchains -A input -f -j ACCEPT

Sometimes, all interfaces are totally open, other times they are totally closed. ipchains was installed with redhat 7.2 when i got it. Thanks, Eric S.

iim gunna write it from scratch kk

if your doing this remotely...

ipchains -F
ipchains -P INPUT -j ACCEPT
ipchains -P FORWARD -j ACCEPT
ipchains -P OUTPUT -j ACCEPT

ipchains -A INPUT -m state --state INVALID -j DROP
ipchains -A FORWARD -m state --state INVALID -j DROP
ipchains -A OUTPUT -m state --state INVALID -j DROP

ipchains -A INPUT -i eth1 -p tcp --multiport --dport 20,21,22,80,epl,time,telnet,finger -j ACCEPT
ipchains -A INPUT -i eth0 -j ACCEPT
ipchains -A INPUT -j DROP

ipchains -A FORWARD -i eth0 -o eth1 -j ACCEPT
ipchains -A FORWARD -i eth1 -o eth0 -j ACCEPT
ipchains -A FORWARD -j DROP

ipchains -t nat -A POSTROUTING -o eth0 -j MASQUERADE

That doesn't work either. Here is the output:
ipchains: -P requires a chain and a policy
Try `ipchains -h' or 'ipchains --help' for more information.
ipchains: Bad value `state' for -m.

Try `ipchains -h' or 'ipchains --help' for more information.
ipchains: Bad value `state' for -m.

Try `ipchains -h' or 'ipchains --help' for more information.
ipchains: Bad value `state' for -m.

Try `ipchains -h' or 'ipchains --help' for more information.
ipchains: unrecognized option `--multiport'
Try `ipchains -h' or 'ipchains --help' for more information.
ipchains: No target by that name
ipchains: No target by that name
ipchains: -o argument must be 0-65535, not `eth1'
Try `ipchains -h' or 'ipchains --help' for more information.
ipchains: -o argument must be 0-65535, not `eth0'
Try `ipchains -h' or 'ipchains --help' for more information.
ipchains: No target by that name
ipchains: -t requires 2 hexbyte arguments
Try `ipchains -h' or 'ipchains --help' for more information.

I have ipchains 1.3.10, 1-Sep-2000.

heh chains is too old for me, i been on iptables, sorry..

um, if its no consequence format and install rh9?

sorry1 The hardware's too old Just be glad I'm not running 6.x!

well how old is your damn kernel? lol

update the kernel, get some iptables working

I guess it's time to read the 'ol TLDP Ipchains HOWTO.

I got 2.4.7-10. And I did read the howto. The commands just didn't work right.

If yo have 2.4 just recompile and get iptables working - a lot more to work with, IMO

I got iptables working. However, it has the same problem. It cannot access the internet with DROP in place, except if I say to accept all RELATED and ESTABLISHED connections. Then it won't stealth any ports.

Even if I tell it specifically to drop the port, it still accepts connections.

iptables -P INPUT -j ACCEPT
iptables -P FORWARD -j ACCEPT
iptables -P OUTPUT -j ACCEPT

iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

iptables -A INPUT -i eth1 -p tcp --multiport --dport 20,21,22,80,epl,time,telnet,finger -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -j DROP

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -j DROP

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -P INPUT DROP
iptables -P FORWARD DROP

where eth0 is your internet nic, and eth1 is your lan interface...