ipchains firewalling question

To: debian-user <debian-user@lists.debian.org>
Subject: ipchains firewalling question
From: Patrick Olson <compman@internetcds.com>
Date: Wed, 1 Sep 1999 14:56:52 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.990901143833.26926C-100000@picard.internetcds.com>
Reply-to: Patrick Olson <compman@internetcds.com>

I am thinking of using IP chains to tighten security a little on my Debian
2.1 box.  Currently, I have it set up as follows:

ipchains -P forward DENY
ipchains -A forward -s 192.168.1.9/255.255.255.255 -j MASQ

Below is a much more involved setup I created based on the information in
the HOW-TO. The goal is to cut off access to any ports that I never use,
and limit access to some of the ports I do use.  Could you please take a
look at it and let me know what you think? 

I have the following specific questions:
1. Have I made any mistakes that could cause really annoying problems?
   (perhaps unintentionally blocking something that shouldn't be blocked) 
2. Is it safe to allow all input from localhost and output to localhost
   as I have done?
3. Are the lines that allow ICMP the right thing to do so ping will work?
   (also, the HOW-TO warned about not blocking ICMP type 3).
4. Are the SMTP and POP3 ports as secure as possible while still
   allowing fetchmail and sendmail to work?
5. Will my lines to block all communication with ads3.inet1.com work?
   (If I had a fast Internet connection, I wouldn't mind banner ads)
6. Any other comments or suggestions?

--- begin list of ipchains commands ---

ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY

# allow anything local
ipchains -A input  -s 127.0.0.1 -j ACCEPT
ipchains -A output -d 127.0.0.1 -j ACCEPT

# allow ICMP
ipchains -A input  -p icmp -j ACCEPT
ipchains -A output -p icmp -j ACCEPT

# allow FTP, telnet, DNS, WWW and IRC in both directions
ipchains -A input  -p 20 -j ACCEPT
ipchains -A input  -p 21 -j ACCEPT
ipchains -A input  -p 23 -j ACCEPT
ipchains -A input  -p 53 -j ACCEPT
ipchains -A input  -p 80 -j ACCEPT
ipchains -A input  -p 194 -j ACCEPT

ipchains -A output -p 20 -j ACCEPT
ipchains -A output -p 21 -j ACCEPT
ipchains -A output -p 23 -j ACCEPT
ipchains -A output -p 53 -j ACCEPT
ipchains -A output -p 80 -j ACCEPT
ipchains -A output -p 194 -j ACCEPT

# allow me to use fetchmail
ipchains -A output -p 110 -j ACCEPT

# allow outgoing SMTP
ipchains -A output -p 25 -j ACCEPT

# allow netbios stuff on eth0
ipchains -A input  -i eth0 -p 137 -j ACCEPT
ipchains -A input  -i eth0 -p 138 -j ACCEPT
ipchains -A input  -i eth0 -p 139 -j ACCEPT

ipchains -A output -i eth0 -p 137 -j ACCEPT
ipchains -A output -i eth0 -p 138 -j ACCEPT
ipchains -A output -i eth0 -p 139 -j ACCEPT

# allow communication with my ISP's proxy
ipchains -A input  -p 3128 -j ACCEPT
ipchains -A output -p 3128 -j ACCEPT

# kill some of those annoying banner advertisements
ipchains -A input  -s ads3.inet1.com -j DENY
ipchains -A output -s ads3.inet1.com -j DENY

# anything that makes it through the input and output filters can be
# masqueraded for certain local systems

ipchains -A forward -s 192.168.1.9/255.255.255.255 -j MASQ

--- end list of ipchains commands ---

I would really appreciate some feedback on this so that I will know if I
am getting it right or making mistakes.  

Thanks in advance,
Patrick Olson

Reply to:

Follow-Ups:
- Re: ipchains firewalling question
  - From: Mario Olimpio de Menezes <mario@curiango.ipen.br>

Prev by Date: is malloc() reentrant ?
Next by Date: Re: Swap partition
Previous by thread: Re: is malloc() reentrant ?
Next by thread: Re: ipchains firewalling question
Index(es):
- Date
- Thread