|
|
Back to UserFriendly Strip Comments Index
|
iptables, NAT & Packet Filtering | by DMDx86 | 2002-06-14 06:47:51 |
| In general... |
by talon0720 |
2002-06-14 07:31:24 |
With ipchains, I set my default policy to deny, then set the ports I wanted open to accept. With ipchains its something like.... /sbin/ipchains -A input -i [interface] -s [source ip address of packet] -p [protocol] --sport [source port] --dport [destination port] -j [ACCEPT/DENY/REJECT]
-A, -i, and -j are the required ones, the others are optional, but very handy for blocking or opening specific ports or ipaddresses.
I prefer DENY to REJECT, since REJECT sends a polite packet back to them saying that they aren't allowed, where DENY just igores them and it looks like a timeout on their end, as if you aren't there.
/sbin/ipchains -A output -p icmp --icmp-type pong -i eth0 -j DENY -l
this blocks pongs from going back out onto the net, so if somebody is trying to ping your box to find a target for an attack, they don't see that you're there. Stealth mode on. Anyway, don't forget to log the packets you drop in your default deny, so you can look at /var/log/messages to see if you are dropping packets you need to accept and add another accept to your rules. I think that iptables is basically the same as ipchains, but gives you more options for filtering and forwarding. Hope that helps you find somewhere to start. |
|
[ Reply ] |
|
|
[Todays Cartoon Discussion]
[News Index]
|
|
