[aclug-L] ipchains rules

[Jeff <schaller@xxxxxxxxxxxxx>]

Ok, by popular request, here are the ipchains rules I use for my box.
Your mileage may vary, offer good in the US and Puerto Rico, void
where prohibited. If it breaks you get to keep both pieces.

# deny all, log
/sbin/ipchains -I input -j DENY -l

# allow all sourced from me, don't log
/sbin/ipchains -I input -s 127.0.0.1 -j ACCEPT

# allow kuhub NTP UDP, don't log
/sbin/ipchains -I input -s 129.237.32.2 123:123 -d 0/0 123:123 \
  -p udp -j ACCEPT

# allow DNS UDP, don't log
/sbin/ipchains -I input -s 0/0 53:53  -p udp -j ACCEPT

# allow pings, log
/sbin/ipchains -I input -d 0/0 0:0 -p icmp -j ACCEPT -l

# allow onyx's telnetd connect back to us on tcp, don't log
/sbin/ipchains -I input -s 206.53.103.2 23:23 -d 0/0 1024: -p tcp \
  -j ACCEPT

# allow ftp.nec's telnetd to connect back to us on tcp, no log
/sbin/ipchains -I input -s external.nj.nec.com -p tcp -j ACCEPT

# allow onyx to telnet in
/sbin/ipchains -I input -s 206.53.103.2 1024: -d 0/0 23:23 -p tcp \
  -j ACCEPT -l

# allow remote httpds to connect back on tcp, don't log
/sbin/ipchains -I input -s 0/0 80:80 -d 0/0 1024: -p tcp -j ACCEPT

# allow remote NNTP, don't log
/sbin/ipchains -I input -s 0/0 119:119 -p tcp -j ACCEPT

# allow remote ftp connect, log
#/sbin/ipchains -I input -s 0/0 20:20 -p tcp -j ACCEPT -l
#/sbin/ipchains -I input -s 0/0 21:21 -p tcp -j ACCEPT -l

# allow rs.internic.net whois replies
/sbin/ipchains -I input -s 198.41.0.6 43:43 -p tcp -j ACCEPT

# allow rlogin from LAN
#ipchains -I input -s 192.168.0.0/24 -d 0/0 513:513 -p tcp -j ACCEPT


-jeff
-- 
On March 29, the Dow Jones made history, closing above 10,000 points for
the first time ever. What do you think about Wall Street's unprecedented
vigor? "Some say money is the root of all evil. Then again, some say love,
it is a river that drowns the tender reed." Jen Kobel, Set Designer
http://www.theonion.com/onion3513/wdyt_3513.html