Re: What is wrong with this rule

From: David (thunderbolt01@netscape.net)
Date: 05/31/02


From: David <thunderbolt01@netscape.net>
Date: Fri, 31 May 2002 03:47:33 GMT

Jester wrote:
> One of my chains is listed as follows
>
> ipchains -A input -p TCP -i $extint -s 0.0.0.0/0 -d $extip/32 linuxconf -j
> DENY #98
>
> when i start my script with the following ./rc.firewall i get this error
> message
>
> [root@echelon rc.d]# ./rc.firewall
> ipchains: invalid port/service `linuxconf' specified
>
> One other thing. This machine used to be the Gateway & so had the ppp0
> interface as well. It is now my main service machine running DNS,WWW,MAIL
> etc but does this by means of port forward from a dedicated firewall. Are
> there any good articles that anyone knows of that tells of setting up a
> firewall on a machine itself. By this i mean one that just looks after this
> machine alone. In the existing script i have rules set where it needed it's
> external IP address (one given from ISP) which is static & then its internal
> IP (192.168.0.*).
>
> I have tried commenting out the IP assigned since this is obviously now
> assigned to my dedicated firewall with does the actual dialing & connecting
> but when doing this & restating the script i get multiple errors. It looks a
> bit like this
>
>
> # For PPP users with STATIC IP addresses:
> #
> extip="This is my static IP address"
>
> # ALL PPP and DHCP users must set this for the correct EXTERNAL interface
> # name
> extint="ppp0"
>
> # Assign the internal IP
> intint="eth0"
> intnet="192.168.0.2/24"
>
> Commenting out extip & extint causes these errors.
>
> I know this relates to the way i have created the chains so where can i go
> for good examples of internal firewall rules scripts

This is how I do it.
EXTDEV = external device
ANYWHERE = 0.0.0.0/0
EXTERNALIP = external IP address

echo " Optional parameter: Ignore LINUXCONF"
/sbin/ipchains -A input -i $EXTDEV -p tcp -y -s $ANYWHERE -d $EXTERNALIP
linuxconf -j DENY -l

-- 
   Confucius:  He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org



Relevant Pages

  • Re: What is wrong with this rule
    ... > etc but does this by means of port forward from a dedicated firewall. ... In the existing script i have rules set where it needed it's ... EXTERNALIP = external IP address ... linuxconf -j DENY -l ...
    (comp.os.linux.security)
  • Re: Some new SSH exploit script?
    ... You see, rather than do all this, I think it's much much smarter to turn over the logs more, and write a script that outputs the log - without the script kiddies if it really bothers you. ... If 3 people connect to this port, by all means, but just moving the port to decrease your viability of hacktards isn't smart. ... echo "Deleted all rules numbered $RANGE and added the following rules:" ... CMDTEMP=`echo "$IPFWCMD add $ENDIPFW deny ip from $IP to any"` ...
    (Pen-Test)
  • Re: User Account Options
    ... ntSecurityDescriptor is not an attribute. ... Both remove the deny ACE's from ... properties and not getting anything from script. ... some times about 30 minutes all permission changed with other permission ...
    (microsoft.public.windows.server.active_directory)
  • Re: how to restrict users to search in their own Organizational Unit
    ... decided a script can make it possible to accomplish, ... You could also TRY removing the "Authenticated Users" ... Domain level since using a lot of DENY ... permissions is in and of itself a poor practice. ...
    (microsoft.public.windows.server.active_directory)
  • Re: What is wrong with this rule
    ... > etc but does this by means of port forward from a dedicated firewall. ... In the existing script i have rules set where it needed it's ... > # ALL PPP and DHCP users must set this for the correct EXTERNAL interface ... > I know this relates to the way i have created the chains so where can i go ...
    (comp.os.linux.security)