LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   how to drop all packets to one host with the default rule of accept (https://www.linuxquestions.org/questions/linux-security-4/how-to-drop-all-packets-to-one-host-with-the-default-rule-of-accept-83507/)

dan5009 08-19-2003 10:17 AM
how to drop all packets to one host with the default rule of accept
 
I am trying to restrict all access to one host behind my firewall and then open only web services. Our setup is we accept all packets and then deny what we do not want. Listed below is what I,ve written which does not work:

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --syn \
--dport $UNPRIV_PORTS -j DROP

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp --syn \
--sport $UNPRIV_PORTS \
-s $APERIO -j DROP

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --syn \
--dport $PRIV_PORTS \
-d $APERIO -j DROP

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp --syn \
--sport $PRIV_PORTS \
-s $APERIO -j DROP

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--sport $UNPRIV_PORTS \
-d $APERIO --dport 80 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE \
-p tcp ! --syn -s $APERIO --sport 80 \
--dport $UNPRIV_PORTS -j ACCEPT

Thanks

unSpawn 08-20-2003 05:55 PM
Except that ipchains doesnt use DROP but DENY, try activating rule logging (-l) and see what gets denied. It's the best way to learn troubleshooting firewall problems yourself.


All times are GMT -5. The time now is 08:42 PM.