Travis Walls wrote:
>
> Here is what i would like to do:
>
> Deny everything at first.
> Allow programs that i need to use access to the internet.
> Allow services to contact the internet that are required by the system.
Unfortunately, doing this with ipchains with the setup you have:
> RedHat 7.1 box filtered using ipchains <-> Road Runner <-> Internet
will be extremely complicated. if not impossible.
ipchains doesn't have the "stateful inspection" capabilities that
iptables does, so you'll have to explicitly allow *every port* that
*anything* will ever need to talk out to be allowed out and any ports
that you want to allow in will have to be explicitly allowed in.
Restricting all incoming traffic is very easy:
ipchains -A INPUT -j DENY
but it's not as simple as that. This will prevent *any* packet from
*ever* reaching your box from the outside - this rule will let packets
go out (say, for Web browsing) but the return packets will never get
back to you. It's a one-way street, which is probably *not* what you
are looking for.
Since a lot of services bind to random ports above 1024 for
communicating outbound (for example, your web browser will bind to a
random high-number port on your end, and send data to port 80 on the
other end) there is no way to predict what ports you'll have to allow
back in for any particular session on any particular service, unless you
simply say "allow all ports over 1024 back in" which is not very secure.
This is one of the things that the IPMASQ module does for you - it keeps
track of all those outbound connections and allows the return packets
for those sessions back in even if you're not allowing anything else
in. Except you can't use IPMASQ in your situation - you need another
box in between to do the masquerading and tracking of those sessions.
If you use iptables, however, what you want to do is extremely simple:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP
which says "Allow packets that are part of an established session back
in, but drop everything else."
In either case (ipchains or iptables) if you want to also restrict
outbound packets, just start with:
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
iptables -A OUTPUT -j DROP
or
ipchains -A OUTPUT -l -j DENY
then watch /var/log/messages to see what packets are being dropped, and
start adding rules that explicitly allow particular types of packets.
You'll have to know what *destination* port certain types of protocols
use to be able to do the filtering - you won't be filtering on source
ports.
So the conclusion here is: you'll have to use iptables if you want to do
this.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#!/usr/bin/perl -w
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map
{$_%16or$t^=$c^=($m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;
$t^=(72,@z=(64,72,$a^=12*($_%16-2?0:$m&17)),$b^=$_%64?12:0,@z)
[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$h=5;$_=unxb24,join
"",@b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$d=
unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d
>>12^$d>>4^$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*
8^$q<<6))<<9,$_=$t[$_]^(($h>>=8)+=$f+(~$g&$t))for@a[128..$#a]}
print+x"C*",@a}';s/x/pack+/g;eval
usage: qrpff 153 2 8 105 225 < /mnt/dvd/VOB_FILENAME \
| extract_mpeg2 | mpeg2dec -
http://www.eff.org/ http://www.opendvd.org/
http://www.cs.cmu.edu/~dst/DeCSS/Gallery/
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:49:57 EDT