Pantek Library - Expert Linux and Open Source Services

Hosting Provided By
# file = /etc/sysconfig/ipchains
# FW Rules by Bill
:input DENY
:forward DENY
:output ACCEPT
#########
# LOCAL #
#########
#-A input -i lo -j ACCEPT
-A input -i lo -s 127.0.0.1   -j ACCEPT
-A input -i lo -s 172.25.0.10 -j ACCEPT
###################
# SPOOFED PACKETS #
###################
# Remove spoofed packets -- even though there shouldn't be any
-A input -i eth0 -s 192.168.0.0/16 -j DENY -l
#-A input -i eth0 -s 172.16.0.0/12 -j DENY -l
-A input -i eth0 -s 172.16.0.0/16  -j DENY -l
-A input -i eth0 -s 172.17.0.0/16  -j DENY -l
-A input -i eth0 -s 172.18.0.0/16  -j DENY -l
-A input -i eth0 -s 172.19.0.0/16  -j DENY -l
-A input -i eth0 -s 172.20.0.0/16  -j DENY -l
-A input -i eth0 -s 172.21.0.0/16  -j DENY -l
-A input -i eth0 -s 172.22.0.0/16  -j DENY -l
-A input -i eth0 -s 172.23.0.0/16  -j DENY -l
-A input -i eth0 -s 172.24.0.0/16  -j DENY -l
# allow own subnet to access server
#-A input -i eth0 -s 172.25.0.0/16  -j DENY -l
-A input -i eth0 -s 172.26.0.0/16  -j DENY -l
-A input -i eth0 -s 172.27.0.0/16  -j DENY -l
-A input -i eth0 -s 172.28.0.0/16  -j DENY -l
-A input -i eth0 -s 172.29.0.0/16  -j DENY -l
-A input -i eth0 -s 172.30.0.0/16  -j DENY -l
-A input -i eth0 -s 172.31.0.0/16  -j DENY -l
-A input -i eth0 -s 10.0.0.0/8     -j DENY -l
#######
# SSH #
#######
# Accept new connections from:
-A input -i eth0 -s 172.25.24.100 -d 172.25.0.10 22 -p tcp -j ACCEPT
########
# ICMP #
########
# You probably want to let in all ICMP requests (but not let back out to
# eth0) but follow the advice in RWLS on not accepting redirect and source
# route ICMP commands. 
-A input -i eth0 -p icmp --dport 0  -j ACCEPT
-A input -i eth0 -p icmp --dport 3  -j ACCEPT
-A input -i eth0 -p icmp --dport 11 -j ACCEPT
#######
# DNS #
#######
# Allow dig & domain transfers from local ips only
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
-A input -i eth0 -s 172.25.0.0/16 -d 172.25.0.10 53 -p tcp -j ACCEPT
# allow anybody to connect using normal upd requests
-A input -i eth0 -s 172.25.0.0/16 -d 172.25.0.10 53 -p udp -j ACCEPT
# allow answers from upstream dns servers
-A input -i eth0 -s 195.15.127.166 53 -p tcp -j ACCEPT
-A input -i eth0 -s 195.15.127.166 53 -p udp -j ACCEPT
-A input -i eth0 -s 195.15.127.165 53 -p tcp -j ACCEPT
-A input -i eth0 -s 195.15.127.165 53 -p udp -j ACCEPT
-A input -i eth0 -s 144.85.10.90   53 -p tcp -j ACCEPT
-A input -i eth0 -s 144.85.10.90   53 -p udp -j ACCEPT
-A input -i eth0 -s 144.85.20.30   53 -p tcp -j ACCEPT
-A input -i eth0 -s 144.85.20.30   53 -p udp -j ACCEPT
-A input -i eth0 -s 172.25.0.10    53 -p tcp -j ACCEPT
-A input -i eth0 -s 172.25.0.10    53 -p udp -j ACCEPT
########
# DHCP #
########
# Accept normal DHCP requests
-A input  -i eth0 -s 255.255.255.255 68 -d 255.255.255.255 67 -p udp -j ACCEPT
# Accept normal DHCP renewals
-A input -i eth0 -s 172.25.0.0/16 68   -d 255.255.255.255 67 -p udp -j ACCEPT
-A input -i eth0 -s 172.25.0.0/16 68   -d 172.25.0.10 67     -p udp -j ACCEPT
# Accept old Mac DHCP requests
-A input -i eth0 -s 0.0.0.0/16 68      -d 255.255.255.255 67 -p udp -j ACCEPT
# Don't log server answers
-A input -i eth0 -s 172.25.0.10 67     -d 255.255.255.255 68 -p udp -j DENY
# Client needs
#-A input -i eth0 -s 0/0 67 -d 0/0 68 -p udp -j ACCEPT
########
# SMTP #
########
# allow smtp responses from mail server
-A input -i eth0 -s 195.15.127.170 25 -d 172.25.0.10 -p tcp ! -y -j ACCEPT
########
# HTTP #
########
# allow http responses from web servers
#-A input -i eth0 --sport http  -p tcp ! -y -j ACCEPT
#-A input -i eth0 --sport https -p tcp ! -y -j ACCEPT
#######
# NTP #
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
#######
# allow responses to time servers
-A input -i eth0 -p udp -s 195.15.127.168 123 -d 172.25.0.10 -j ACCEPT
-A input -i eth0 -p tcp -s 195.15.127.168 123 -d 172.25.0.10 -j ACCEPT
-A input -i eth0 -p udp -s 129.132.2.21   123 -d 172.25.0.10 -j ACCEPT
-A input -i eth0 -p udp -s 134.214.100.6  123 -d 172.25.0.10 -j ACCEPT
-A input -i eth0 -p udp -s 193.213.238.2  123 -d 172.25.0.10 -j ACCEPT
########
# LDAP #
########
# ldap
-A input -i eth0 -s 172.25.0.0/16 -d 172.25.0.10 389 -p udp -j ACCEPT
-A input -i eth0 -s 172.25.0.0/16 -d 172.25.0.10 389 -p tcp -j ACCEPT
# ldaps
-A input -i eth0 -s 172.25.0.0/16 -d 172.25.0.10 636 -p udp -j ACCEPT
-A input -i eth0 -s 172.25.0.0/16 -d 172.25.0.10 636 -p tcp -j ACCEPT
#######
# SMB #
#######
# allow SMB/CIFS to function as a server
-A input -i eth0 -s 172.25.0.0/16 -d 172.25.0.10 137:139 -p udp -j ACCEPT
-A input -i eth0 -s 172.25.0.0/16 -d 172.25.0.10 137:139 -p tcp -j ACCEPT
-A input -i eth0 -s 172.25.0.0/16 -d 172.25.0.10 445     -p udp -j ACCEPT
-A input -i eth0 -s 172.25.0.0/16 -d 172.25.0.10 445     -p tcp -j ACCEPT
# Bob's Book
#Allow SMB input from our "friends"
#ipchains -A input  -p tcp -s 192.168.1.0/24 --dport 137:139 -j ACCEPT
#ipchains -A input  -p udp -s 192.168.1.0/24 --dport 137:139 -j ACCEPT
#
#Deny SMB input from everyone else and log violations
#ipchains -A input  -p tcp  --dport 137:139 -j DENY -l
#ipchains -A input  -p udp  --dport 137:139 -j DENY -l
#
#Allow SMB outbound traffic to our "friends"
#ipchains -A output -p tcp -d 192.168.1.0/24 --sport 137:139 -j ACCEPT
#ipchains -A output -p udp -d 192.168.1.0/24 --sport 137:139 -j ACCEPT
#
#Deny SMB outbound traffic to everyone else
#ipchains -A output -p tcp                   --sport 137:139 -j DENY -l
#ipchains -A output -p udp                   --sport 137:139 -j DENY -l
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
#ipchains -A input -p tcp -s 192.168.1.0/24  --dport 445     -j ACCEPT
#ipchains -A input -p udp -s 192.168.1.0/24  --dport 445     -j ACCEPT
#ipchains -A input -p tcp                    --dport 445     -j DENY -l
#ipchains -A input -p udp                    --dport 445     -j DENY -l
#
#ipchains -A output -p tcp -d 192.168.1.0/24 --sport 445     -j ACCEPT
#ipchains -A output -p udp -d 192.168.1.0/24 --sport 445     -j ACCEPT
#ipchains -A output -p tcp                   --sport 445     -j DENY -l
#ipchains -A output -p udp                   --sport 445     -j DENY -l
#########
# ATALK #
#########
# allow AppleTalk/Netatalk to function as a server
-A input -i eth0 -p tcp -s 172.25.0.0/16 --dport afpovertcp -j ACCEPT
-A input -i eth0 -p ddp --dport rtmp -j ACCEPT
#-A input -i eth0 -p ddp                  --dport zip        -j ACCEPT
#-A input -i eth0 -p ddp                  --dport nbp        -j ACCEPT
#-A input -i eth0 -p ddp                  --dport echo       -j ACCEPT
#-A input -i eth0 -p ddp -s 172.25.0.0/16 --dport rtmp       -j ACCEPT
#-A input -i eth0 -p ddp -s 172.25.0.0/16 --dport zip        -j ACCEPT
#-A input -i eth0 -p ddp -s 172.25.0.0/16 --dport nbp        -j ACCEPT
#-A input -i eth0 -p ddp -s 172.25.0.0/16 --dport echo       -j ACCEPT
# $STU = 172.25.0.0/16
#-A output -i eth0 -p ddp -d $STU --sport rtmp -j ACCEPT
#-A output -i eth0 -p ddp -d $STU --sport nbp  -j ACCEPT
#-A output -i eth0 -p ddp -d $STU --sport echo -j ACCEPT
#-A output -i eth0 -p ddp -d $STU --sport zip  -j ACCEPT
#######
# FTP #
#######
# autoupdate - ftp.mat.univie.ac.at
#-A input -i eth0 -s 131.130.14.152 21 -d 172.25.0.10             -p tcp ! -y -j ACCEPT
#-A input -i eth0 -s 131.130.14.152    -d 172.25.0.10 1024:65535  -p tcp ! -y -j ACCEPT
Can't find what you're looking for? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
# redhat updates - sunsite.cnlab-switch.ch
-A input -i eth0 -s 195.176.255.9 21   -d 172.25.0.10             -p tcp ! -y -j ACCEPT
-A input -i eth0 -s 195.176.255.9      -d 172.25.0.10 1024:65535  -p tcp ! -y -j ACCEPT
# redhat updates - ftp.dplanet.ch
-A input -i eth0 -s 212.35.35.8 21     -d 172.25.0.10             -p tcp ! -y -j ACCEPT
-A input -i eth0 -s 212.35.35.8        -d 172.25.0.10 1024:65535  -p tcp ! -y -j ACCEPT
# redhat updates -- updates.redhat.com
-A input -i eth0 -s 66.187.232.52 21   -d 172.25.0.10             -p tcp ! -y -j ACCEPT
-A input -i eth0 -s 66.187.232.52      -d 172.25.0.10 1024:65535  -p tcp ! -y -j ACCEPT
# redhat updates -- updates.redhat.com
-A input -i eth0 -s 66.187.224.52 21   -d 172.25.0.10             -p tcp ! -y -j ACCEPT
-A input -i eth0 -s 66.187.224.52      -d 172.25.0.10 1024:65535  -p tcp ! -y -j ACCEPT
#****************************************************************
########
# DENY #
########
# quietly ignore random known chatter
# JetAdmin Noise
-A input -i eth0 -s 172.25.0.0/16     -d 224.0.0.2            -p igmp -j DENY
-A input -i eth0 -s 172.25.0.0/16     -d 224.0.0.22           -p igmp -j DENY
-A input -i eth0 -s 172.25.0.0/16 427 -d 224.0.1.60 427       -p udp -j DENY
#-A input -i eth0 -s 172.25.0.0/16 123 -d 255.255.255.255 123  -p udp -j DENY
# DHCP server answers
-A input -i eth0 -s 172.25.0.10 67   -d 255.255.255.255 68   -p udp -j DENY
#######
# LOG #
#######
# Deny & log all unwanted packets
-A input -j DENY -l