ipchains question...

[AA]

Ok... silly user me knows nothing about ipchains but then I'm told that if you go on a coarse they spend a whole day on ipchains alone.!!

 

Anyway back to my question.

 

I want to block all traffic to a certain ip address / host.

 

How do I do this.?

 

The man file is helpful in explaining what every option does but it doesnt give examples. IE... if someone can give me an example on how to do this...

 

like #ipchains -XYZ xx.xx.xx.xx [or whatever]

 

Thanx in advance..!!

 

AA

[Guest anon]

IPChains is a bit dated now. Though it is supported in the 2.4 kernels. Im no expert on security, but most people will sugest using iptables (netfilter) for your firewall stuff, running with say, shorewall, guardog etc.

[AA]

Ok yes I know ipchains is quite outdated, but on older servers that do not have ip tables and shorewall, and that do not have any development packages installed, one kinda has to make do with what you have...!!

 

I should also mention that this is not for a mandrake machine....

 

It's based on redhat, E-Smith to be exact... but in anycase, it will become a debian server soon and well, debian also comes standard with ipchains, I could probably install another firewall on the debian box too, but why bother when ipchains will suffice, and the server acting as a firewall also performs other functions...

 

I know that this is probably not the best way to keep my network safe, and I know that there are many exploits and vulnerabilities out there that could probably be used againt ipchains, hence iptables.... but hey. As long as the end point is 99% secure, that should do just fine..!!

[Guest anon]

Umm... How about this??

#!/bin/bash

##########################################################################

# IPCHAINS VERSION

# This sample configuration is for a single host firewall configuration

# with no services supported by the firewall machine itself.

##########################################################################



# USER CONFIGURABLE SECTION



# The name and location of the ipchains utility.

IPCHAINS=ipchains



# The path to the ipchains executable.

PATH="/sbin"



# Our internal network address space and its supporting network device.

OURNET="172.29.16.0/24"

OURBCAST="172.29.16.255"

OURDEV="eth0"



# The outside address and the network device that supports it.

ANYADDR="0/0"

ANYDEV="eth1"



# The TCP services we wish to allow to pass - "" empty means all ports

# note: space separated

TCPIN="smtp www"

TCPOUT="smtp www ftp ftp-data irc"



# The UDP services we wish to allow to pass - "" empty means all ports

# note: space separated

UDPIN="domain"

UDPOUT="domain"



# The ICMP services we wish to allow to pass - "" empty means all types

# ref: /usr/include/netinet/ip_icmp.h for type numbers

# note: space separated

ICMPIN="0 3 11"

ICMPOUT="8 3 11"



# Logging; uncomment the following line to enable logging of datagrams

# that are blocked by the firewall.

# LOGGING=1



# END USER CONFIGURABLE SECTION

##########################################################################

# Flush the Input table rules

$IPCHAINS -F input



# We want to DENY incoming access by default.

$IPCHAINS -P input DENY



# SPOOFING

# We should not ACCEPT any datagrams with a source address matching ours

# from the outside, so we DENY them.

$IPCHAINS -A input -s $OURNET -i $ANYDEV -j DENY



# SMURF

# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.

$IPCHAINS -A input -p icmp -i $ANYDEV -d $OURBCAST -j DENY



# We should ACCEPT fragments, in ipchains we must do this explicitly.

$IPCHAINS -A input -f -j ACCEPT



for i in $TCPIN

do

# TCP

# We will ACCEPT all TCP datagrams belonging to an existing connection

# (i.e. having the ACK bit set) for the TCP ports we're allowing through.

# This should catch more than 95 % of all valid TCP packets.

  $IPCHAINS -A input -p tcp -d $OURNET $i ! -y -b -j ACCEPT



# TCP - INCOMING CONNECTIONS

# We will ACCEPT connection requests from the outside only on the

# allowed TCP ports.

  $IPCHAINS -A input -p tcp -i $ANYDEV -d $OURNET $i -y -j ACCEPT

done



# TCP - OUTGOING CONNECTIONS

# We ACCEPT all outgoing TCP connection requests on allowed TCP ports.

for i in $TCPOUT

do

  $IPCHAINS -A input -p tcp -i $OURDEV -d $ANYADDR $i -y -j ACCEPT

done



# UDP - INCOMING

# We will allow UDP datagrams in on the allowed ports.

for i in $UDPIN

do

  $IPCHAINS -A input -p udp -i $ANYDEV -d $OURNET $i -j ACCEPT

done

# UDP - OUTGOING

# We will allow UDP datagrams out on the allowed ports.

for i in $UDPOUT

do

  $IPCHAINS -A input -p udp -i $OURDEV -d $ANYADDR $i -j ACCEPT

done



# ICMP - INCOMING

# We will allow ICMP datagrams in of the allowed types.

for i in $ICMPIN

do

  $IPCHAINS -A input -p icmp -i $ANYDEV -d $OURNET $i -j ACCEPT

done



# ICMP - OUTGOING

# We will allow ICMP datagrams out of the allowed types.

for i in $ICMPOUT

do

  $IPCHAINS -A input -p icmp -i $OURDEV -d $ANYADDR $i -j ACCEPT

done



# DEFAULT and LOGGING

# All remaining datagrams fall through to the default

# rule and are dropped. They will be logged if you've

# configured the LOGGING variable above.

#

if [ "$LOGGING" ]

then

        # Log barred TCP

        $IPCHAINS -A input -p tcp -l -j REJECT



        # Log barred UDP

        $IPCHAINS -A input -p udp -l -j REJECT



        # Log barred ICMP

        $IPCHAINS -A input -p icmp -l -j REJECT

fi

#

# end.

 

 

Or this one??

http://www.linux.se/doc/nag2/x-087-2-firewall.example.html

[AA]

##########################################################################

# IPCHAINS VERSION

# This sample configuration is for a single host firewall configuration

# with no services supported by the firewall machine itself.

##########################################################################

 

You see, this machine is running other services...

 

Let me be more exect... I want the command i should give to block all traffic to 1 ip address, because I am getting a lot of spyware and possible browser hijack attempts from that ip.!!!

[Guest anon]

http://www.google.com/search?hl=en&lr=&ie=...G=Google+Search

[AA]

Someone in IRC told me what to do.

 

Thanx anyway..!!

[aru]

Someone in IRC told me what to do.

 

Thanx anyway..!!

 

... maybe if you have some time you can post here the answer to your question so in the future some others might benefit from it.

[AA]

I guess I could do that...!!!

 

 /sbin/ipchains -A input "-i ppp0" -s <IP TO DENY FROM> -p all -j DENY -l

 

 leave out the -i ppp0

if u want it on all interfaces

 

[Gowator]

Thanks AA, as it happens Ill be installing e-smith tonite

 

Its on a P100 so we'll see how it performs.

[AA]

As it happens I'll be removing e-smith tonight....!!!

 

Do yourself a favour and don't install it... It's a load of cryte....!!

[Gowator]

Well, Ill give it a 'limited' trial

It was recommended by a friend. Really all I need is a zero maintainance router and fw that will run on a P100.

 

If you have any specifics to help me make up my mind though please post em...

[AA]

Well you can't just do something you always have to edit scripts which generate files... it doesnt have any compilers, half the needed libraries for basic apps arent there...

 

If you want a free GOOD high quality server that's lean.... DEBIAN..!!!

 

It's beautiful...!! saw quite a couple of debian firewall howtos this morning...!!

[Gowator]

i read a lot of the comments on CNET download.

People either love it or hate it.

 

I think its to do with expectations...

I don't wanna run any apps just a few daemons like http and basically use it as a firewall, no monitor/keyboard/screen. Possibly using the webmail part. Thats all I really want it to do.

 

I read lots of negaitve comments ranging from it not having any games to it wasn't Microsoft so must be crap but non of them seemed relevant to what I expected it to do.

[AA]

As a firewall it is very outdated.... still uses ipchains...!!!