[techtalk] Default Deny
Subba Rao
subb3 at attglobal.net
Thu Jan 27 12:51:48 EST 2000
Hi,
I have been using ipchains for a while and am fairly comfortable with them.
Now my filtering needs are growing and becoming more specific. So, I decided
to impose the DENY policy as the default on the "input" chain (for the external
interface). After I DENY everything at first and try to implement the following
rule:
1. Allow only specific subnets on the external interface to port X, on input chain.
I cannot go out to the Web nor resolve any DNS names. Mail will not go out.
My system does have a small DNS which forwards requests to my ISP's nameserver.
Nothing really works.
======= The default DENY Policy on input chain ======
ipchains -P input DENY
ipchains -A input -i lo -j ACCEPT
ipchains -A input -i ppp0 -s 10.0.0.0/8 -l -j DENY
ipchains -A input -i ppp0 -p TCP -s 0.0.0.0/0 -d $LOCALIP X -l -j ACCEPT
ipchains -A input -i ppp0 -p UDP -s I.S.P.NS -d $LOCALIP 53 -j ACCEPT
ipchains -A input -i ppp0 -p UDP -s I.S.P.NS1 -d $LOCALIP 53 -j ACCEPT
======= The default DENY Policy on input chain ======
Any idea how to use the default DENY policy and yet going out to the Internet and
use the Internet services?
Subba Rao
subb3 at attglobal.net
http://pws.prserv.net/truemax/
=> Time is relative. Here is a new way to look at time. <=
http://www.smcinnovations.com
************
techtalk at linuxchix.org http://www.linuxchix.org
More information about the Techtalk
mailing list