how to drop all packets to one host with the default rule of accept
I am trying to restrict all access to one host behind my firewall and then open only web services. Our setup is we accept all packets and then deny what we do not want. Listed below is what I,ve written which does not work:
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --syn \ --dport $UNPRIV_PORTS -j DROP ipchains -A output -i $EXTERNAL_INTERFACE -p tcp --syn \ --sport $UNPRIV_PORTS \ -s $APERIO -j DROP ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --syn \ --dport $PRIV_PORTS \ -d $APERIO -j DROP ipchains -A output -i $EXTERNAL_INTERFACE -p tcp --syn \ --sport $PRIV_PORTS \ -s $APERIO -j DROP ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ --sport $UNPRIV_PORTS \ -d $APERIO --dport 80 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE \ -p tcp ! --syn -s $APERIO --sport 80 \ --dport $UNPRIV_PORTS -j ACCEPT Thanks |
Except that ipchains doesnt use DROP but DENY, try activating rule logging (-l) and see what gets denied. It's the best way to learn troubleshooting firewall problems yourself.
|
All times are GMT -5. The time now is 08:42 PM. |