Help with firewall rules

Help with firewall rules

Post by Warren Bel » Fri, 15 Jun 2001 05:39:15



I have a firewall script I've been using for a while and need someone to
look it over.  I think it's pretty secure but I just want to check to be
sure.

I have a home netork with the Linux machine as the one connected to the
net and masqurading the traffic for three other machines in the house.
What I want to make sure of is that it allows all all traffic from these
other machines to use the internet but _does not_ allow anyone from
outside to connect to any of the internal machines.  The only machine
people from the net should be able to contact is the main machine
running the firewall.  Is that what this ruleset does, and/or is this
possible?

Here's the relevant part of the firewall:

EXTERNAL_INTERFACE="ppp0"           # Internet connected interface
LOOPBACK_INTERFACE="lo"             # or your local naming convention
LAN_INTERFACE_1="eth0"              # internal LAN interface
LAN_1="192.168.0.0/24"              # whatever (private) range you use

# set default rule to DENY everything and then let only certain
# packets through
/sbin/ipchains -P input DENY

# allow all output
/sbin/ipchains -A output -i $EXTERNAL_INTERFACE -j ACCEPT

# Disallow Fragmented Packets
/sbin/ipchains -A input -f -i $EXTERNAL_INTERFACE -j DENY -l

# --------------------------------------------------------------------
# LOOPBACK

# Unlimited traffic on the loopback interface
/sbin/ipchains -A input  -i $LOOPBACK_INTERFACE -j ACCEPT
/sbin/ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

# --------------------------------------------------------------------
# Unlimited traffic within the local network.
# All internal machines have access to the fireall machine.

/sbin/ipchains -A input  -i $LAN_INTERFACE_1 -s $LAN_1 -j ACCEPT
/sbin/ipchains -A output -i $LAN_INTERFACE_1 -d $LAN_1 -j ACCEPT

# --------------------------------------------------------------------
# Masquerade internal traffic.
# All internal traffic is masqueraded externally.

# Set masquerade timeout
# commented out for the new kernel
#/sbin/ipchains -M -S 7200 10 160

/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i $EXTERNAL_INTERFACE -s $LAN_1 -j MASQ

... specific ALLOW and DENY rules

 
 
 

1. Tiny Firewall and rule for LAN please help

My Lan use IP range from 192.168.0.1 to 192.168.0.254

I want to allow only computer with IP 192.168.0.1 to 192.168.0.10 can access
internet with all function, computer with other ip can't access internet.

Computer with ip 192.168.0.1 is running ICS and Tiny Personal Firewall

I create custom address group in Miscellaneous tab with address
192.168.0.1 - 192.168.0.10

then I add 2 rule
rule 1: allow any protocal, both direction, remote end point = custom
address group
rule 2: deny any protocal, both direction, remote end point = any address

It's don't work
what wrong with my rule, please correct my rule
Thank you very much.

Mon P.

2. Calculating time

3. Help w/ netmeeting 3.01 port 1503 rules for Firewall-1

4. Printer.plt for HP Designjet plotter 600

5. HELP- rule set for multiple firewalls

6. email pictures arriving as enlargements

7. Firewall rule query - help needed

8. SNMP commands

9. Raptor: Hidden rule in RULES list?

10. All rules = No rules?

11. help with 1 rule in Kerio

12. PIX - help with initial rules/terminology

13. help with port/rule