IPCHAINS: Please evaluate my configuration
After a spending a good portion of the weekend reading the HOW-TO's, the
man pages, and the archives of this newsgroups for the purpose of figuring
out ipchains, I still cannot say that I have a good understanding of it.
Hopefully, some of you can help me clear a few things up.
I'm running a home workstation on a DSL connection. I've disabled all of
the following daemons with chkconfig: inetd (I plan on getting OpenSSH
running ASAP), sendmail, lpd, portmap, httpd, and nfs. I want to default
DENY policy for all three chains, but as of so far, I cannot enable
*anything* if I don't leave "output" on accept.
Here are the rules that I specified:
#These are so that connections from myself are accepted
ipchains -A input -i lo -j ACCEPT
ipchains -A input -i eth0 -j ACCEPT
#Accept DNS responses
ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 domain -j ACCEPT
ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 domain -j ACCEPT
#Accept replies to TCP connections that I initiate
ipchains -A input -i eth0 -p tcp ! -y -j ACCEPT
#Accept connections to the web
ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 www -j ACCEPT
#Deny ping attempts
ipchains -A input -p icmp --icmp-type echo-request -d <my_ip_address> -j
DENY
When I set the "output" policy to DENY, attempts at a connection to the
web fail. When I set it to ACCEPT but leave "input" on DENY, the
connection succeeds. If I leave all of the rules out, the connection
fails, regardless of whether "output" is on ACCEPT or DENY. What is the
signficance of the "output" chain? Nobody seems to add rules to it, but
it obviously does have an effect. People do add rules concerning the
output of signals, but only to the input chain. I just don't get it.
Earlier today, I managed to get the ping DENY to work, but now it no
longer does, despite the fact that I'm using the exact same command.
Considering how completely difficult everything has been up until now, I
can't wait until I start working on masquerading. This is so completely
frustrating!
I appreciate any and all responses that might help me figure this out.
Thanks,
Chris
-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.**-**.com/ - The #1 Newsgroup Service in the World!
-----== Over 80,000 Newsgroups - 16 Different Servers! =-----