Sample collections of ipchains rules?

Sample collections of ipchains rules?

Post by Sundial Service » Thu, 20 Jun 2002 00:30:44



One problem with ipchains is that ... it provides security if you know how
to set it up, and false-security if you don't.  And lots of people like
myself admit that they don't.

Surely someone out there has a collection of sample ipchains scripts, with
explanations?

 
 
 

Sample collections of ipchains rules?

Post by Davi » Thu, 20 Jun 2002 02:22:47



> One problem with ipchains is that ... it provides security if you know how
> to set it up, and false-security if you don't.  And lots of people like
> myself admit that they don't.

> Surely someone out there has a collection of sample ipchains scripts, with
> explanations?

These 2 links should help.

http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/cHTML/TrinityOS-...
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/cHTML/TrinityOS-...

--
   Confucius:  He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org

 
 
 

Sample collections of ipchains rules?

Post by Ross » Thu, 20 Jun 2002 05:22:03



> One problem with ipchains is that ... it provides security if you know how
> to set it up, and false-security if you don't.  And lots of people like
> myself admit that they don't.

A recommendation.  Upgrade your kernel to one that supports iptables.  It's
better than ipchains.  You'll still have a tough learning curve, but at
least you won't be learning something that is now obsolete.

I also admit that I don't know it well enough to do anything important.  
Fortunately, my router has firewall capabilities and handles most of the
things I would do with iptables/ipchains.

--
Rossz Vmos-Wentworth
rossz+news AT vamos-wentworth DOT org

 
 
 

Sample collections of ipchains rules?

Post by Tim Hayne » Thu, 20 Jun 2002 06:36:58




> > One problem with ipchains is that ... it provides security if you know
> > how to set it up, and false-security if you don't. And lots of people
> > like myself admit that they don't.

> A recommendation. Upgrade your kernel to one that supports iptables. It's
> better than ipchains. You'll still have a tough learning curve, but at
> least you won't be learning something that is now obsolete.

Yes, on balance that's the right way to go. However, I know that learning
ipchains first kinda helped me, at least - now I know a SYN from an
eggwhisk, I'm able to analyse how well iptables is performing just like I
did ipchains of old...

I've got a couple of sample scripts I use as a starting point for both
ip{chains,tables} online - see

<http://www.veryComputer.com/;
<http://www.veryComputer.com/;

but note the important things:

a) both firewalls have a definite structure - see the *comments*. ("First
set the policies, handle obvious spoof things, handle continuations,
process packets destined for any visible services we run, ...")

b) in ipchains, you analyse the firewall strength by how well it handles
packets in all of TCP, UDP and ICMP protocols separately, for the above
categories of packet. E.g. if there's a packet that could get through that
shouldn't, you've made a boo-boo. If there's something that's blocked that
shouldn't be, you've also got a slight*-up on your paws but it's
probably less serious.

c) note how iptables preserves the same layout, in macroscopic terms, but
the syntax changes, everything becomes more modular[0], and the stateful
filtering accomplishes more than you could ever approximate with ipchains.

[0] `-p tcp' is a *module invocation*, no less so than any other; you've
got to load modules *before* you can use them, be that `-p tcp --dport FOO'
or `-m state --state INVALID'.

~Tim
--

           shrinking world                  |http://www.veryComputer.com/
In a distant starlit night                  |

 
 
 

1. Converting ipchains rules to iptables rules?

Is there any convenient script available to convert ipchains rules
to iptables rules?

I am migrating my lab server (that runs linux 2.2.19/ipchains) to a
new server that runs linux 2.4.7.  The old server has a list of
ipchains rules that have worked quite well, and I would like the
new server to have these rules as well.  I realize I can use the
2.4.7 ipchains module and the old rules, but I would rather convert
to iptables, even if the conversion will be initially painful.

Thanks!
Ashok

2. Suggestions list for Clobberd 3.x

3. Sample firewall/masq rules for dialup and non-dialup posted (ipfwadm only)

4. named pipes with mknod

5. Sample ipchains configs for cable modem

6. DLT 7000 runs - but what is the best way to backup files?

7. IPCHAINS sample script for 3 NICS

8. bourne question

9. looking for sample iptables and ipchains setups

10. Just deleted ALL RULES in IPCHAINS, How can I get them back?

11. ipchains rules for this config...

12. Quickest ipchains rules structure

13. ipchains -L is sometime very long to list all rules