topic Re: Ipchains rules in Operating System - Linux

Ipchains rules

Victor Salvador — Wed, 08 Aug 2001 15:55:57 GMT

I have Redhat 7.1, an only have one ethernet card and one ip address, I try to filter telnet and ftp to work only with one remote pc, allow www for all and deny any other port, but when I apply the rules the telnet, ftp and www don't work for any pc or local, the icmp rules work good, there are the rules:
ipchains -A input -p icmp -s -j ACCEPT
ipchains -A input -p icmp -j DENY
ipchains -A input -p tcp -s ftp -j ACCEPT
ipchains -A input -p tcp -s ftp-data -j ACCEPT
ipchains -A input -p tcp -s telnet -j ACCEPT
ipchains -A input -p tcp -s 0.0.0.0/0 www -d 0.0.0.0/0 www -j ACCEPT
ipchains -A input -j DENY -l

Re: Ipchains rules

Jeffrey S. Sims — Wed, 08 Aug 2001 20:40:40 GMT

Victor,

I am not sure about using ipchains to restrict these services but you can combine tcp wrappers and utilize the hosts.allow and hosts.deny files to restrict or disable access to services.

Entering something like the example below to your hosts.allow file to give access to telnet and ftp:

in.telnetd: 192.168.1.1
in.ftpd: 192.168.1.1

hosts.deny has the same syntax except it is used to restrict access to the services.

Hope this helps.

Re: Ipchains rules

Bill Thorsteinson — Thu, 09 Aug 2001 01:41:15 GMT

The input rules should be
-d -s
not
-s

I think ftp-data is the exception. Check your log file
for failures.

The tcp-wrappers is a good way to further protect
services run through inetd (usually not http).

Re: Ipchains rules

Elliot Nesterman — Thu, 16 Aug 2001 05:21:06 GMT

Dude. ipchains sucks!

iptables Rulez!

(Sorry, I couldn't resist.)