#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2001
    Location
    entlegen
    Posts
    442
    Rep Power
    13

    I need to close all theports accept ...


    port 80,9090,22041 22031 in redhat 7.1
    show me in detail as I am moving my linux into co-location.

    thanks!
    regards,

    wish to use AT 89c51 single chip computer to do remote sensing and send the data back from woods to office via nokie 3330 and internet. HOW?
    first I must revise C program thro' example, what's next?
  2. #2
  3. #3
  4. Wiking
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Sep 2000
    Location
    Sweden
    Posts
    3,608
    Rep Power
    26
    It's so much easier to be spoon fed...

    //NoXcuz
    UN*X is sexy!
    who | grep -i blonde | date; cd ~; unzip; touch; strip; finger; mount; gasp; yes; uptime; umount; sleep
  5. #4
  6. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2001
    Location
    entlegen
    Posts
    442
    Rep Power
    13
    i found something like this. can u tell me if this is suitable in co-location environment ? there will be no internal net and just a router from data center, ONE IP and ONE gateway.


    #! /bin/sh
    #
    # Minimal ipchains startup rules for a Linux 2.2.x based firewall.
    # (c)2000 Manfred Bartz <md-linux@logi.cc>
    # This file is subject to the GPL <http://www.gnu.org/copyleft/gpl.html>
    #
    # Use numeric IP addresses here. Most systems cannot do DNS lookups
    # at the time the firewall is initialised.
    #
    # Absolutely no responsibility for *anything* accepted,
    # use at your own risk.
    # Nonetheless, these rules provide a starting point and should allow
    # basic internet access for all systems on your LAN while also
    # providing basic security.
    # For single PCs (no LAN) leave out the ``forward'' stuff.
    #
    # Assumptions:
    # Local network is 192.168.1.0/24
    # Local interface is eth0
    # Internet interface is eth1 (yours may be ppp0, etc...)
    #
    # Read your logs if something doesn't work

    #= startup
    =========================
    ===============

    # setting a policy of DENY before flushing the chains should make the
    firewall
    # fail in a safe way if something goes wrong further down in this
    script.

    ipchains -P input DENY
    ipchains -F input

    ipchains -P forward DENY
    ipchains -F forward

    # this assumes we trust internal users:
    ipchains -P output ACCEPT
    ipchains -F output


    #= input
    =========================
    =================

    # Turn on Source Address Verification so our network cannot be
    # used for IP address spoofing
    for f in /proc/sys/net/ipv4/conf/*/rp filter; do echo 1 > $f; done

    #- local ------------------------------------------
    # Private LAN is trusted (is this acceptable for your site?)
    ipchains -A input -i eth0 -j ACCEPT

    # loopback: all packets with src and dst matching appear here,
    # not just the ones addressed to 127.0.0.1.
    ipchains -A input -i lo -j ACCEPT


    #- Internet ---------------------------------------
    # accept DHCP
    ipchains -A input -i eth1 -p udp -s 0/0 67 -d 0/0 68 -j ACCEPT

    # The order in which rules are added to a chain is very important!
    # The most specific rules come first, the most general rule (catchall)
    # goes last. Incorrect order can lead to disaster!

    ## Here you can add rules to allow specific IP addresses or subnets to
    ## connect to your gateway. E.g. I run sshd on my home PC and want to
    ## be able to log in from my office at work:
    ##
    ## Allow mywork.com (123.123.123.123) into sshd
    ## log initial connect:
    #ipchains -A input -i eth1 -p tcp -s 123.123.123.123 -d 0/0 22 --syn
    -j ACCEPT --log
    ## don't log remaining traffic for that connection
    #ipchains -A input -i eth1 -p tcp -s 123.123.123.123 -d 0/0 22 ! --syn
    -j ACCEPT

    # block access to NFS specifically (if you have it), do the same
    # with any other services using ports above 1023 (e.g. X11).
    # Check with: netstat -tupan
    ipchains -A input -i eth1 -p udp -d 0/0 2049 -j DENY --log
    ipchains -A input -i eth1 -p tcp -d 0/0 2049 -j DENY --log

    # block access to X11 specifically (if you have it). See above.
    ipchains -A input -i eth1 -p udp -d 0/0 6000:6063 -j DENY --log
    ipchains -A input -i eth1 -p tcp -d 0/0 6000:6063 -j DENY --log

    # block ALL access to privileged ports (below 1024)
    ipchains -A input -i eth1 -p tcp -d 0/0 0:1023 -j DENY --log
    ipchains -A input -i eth1 -p udp -d 0/0 0:1023 -j DENY --log

    # The privileged ports (<1024) are now blocked

    # Allow all TCP except incoming connections (no packets w
    SYN=1,ACK=0).
    # Blocking incoming connections causes problems only with ftp in active
    # mode, so use it in passive mode, that is much safer.
    ipchains -A input -i eth1 -p tcp -d 0/0 1024:65535 ! --syn -j ACCEPT

    # Accept DNS. This rule is not necessary if you enable all UDP above
    # port 1023 (see below). Also, filtering on a remote port is next to
    # useless because you don't control it. If you know your ISP's
    nameserver
    # address, put that after the ``-s'' instead of the ``0/0''.
    # If you have multiple nameservers have a rule for each one.
    ipchains -A input -i eth1 -p udp -s 0/0 53 -d 0/0 1024:65535 -j ACCEPT

    # Allow all UDP above 1023 but make doubly sure that you don't have
    # unprotected UDP servers in this port range.
    # If this is uncommented, then you don't need the DNS rule above.
    ipchains -A input -i eth1 -p udp --dport 1024:65535 -j ACCEPT

    # ICMP, Internet interface only:
    # This is needed for error conditions and Path-MTU discovery:
    for t in echo-reply \
    destination-unreachable \
    time-exceeded \
    parameter-problem
    do
    ipchains -A input -i eth1 -p icmp --icmp-type $t -j ACCEPT
    done

    # ICMP, all other interfaces:
    ipchains -A input -i ! eth1 -p icmp -j ACCEPT

    # The input default policy blocks everything that doesn't match any
    # rule, but it doesn't give us log messages. That is why we use a
    # catch-all so we can see what is going on:
    ipchains -A input -j DENY --log


    #= output
    =========================
    ================

    #- Internet ---------------------------------------
    # Our private network addresses should never appear on the Internet
    ipchains -A output -i eth1 -d 192.168.0.0/16 -j REJECT


    #= forward
    =========================
    ===============
    # you can load kernel modules for masquerading here if necessary,
    # for example:
    #modprobe ip masq irc

    # turn on forwarding (better to use sysctl, refer to man sysctl)
    echo 1 > /proc/sys/net/ipv4/ip forward

    # only masquarade if its from us and goes out to the Internet
    ipchains -A forward -i eth1 -s 192.168.1.0/24 -j MASQ

    # The forward default policy blocks everything that doesn't match any
    # rule, but it doesn't give us log messages. That is why we use a
    # catch-all rule so we can see what is going on:
    ipchains -A forward -j REJECT --log



    After testing the system at scan.sygatetech.com on their very good
    scanner, it seems that this
    is either not working, or i'm missing something.
    regards,

    wish to use AT 89c51 single chip computer to do remote sensing and send the data back from woods to office via nokie 3330 and internet. HOW?
    first I must revise C program thro' example, what's next?

IMN logo majestic logo threadwatch logo seochat tools logo