To: Yashy-Hack <yashy-hack@yashy.com>
Subject: [yh] basic ipchains firewall
Message-ID: <Pine.LNX.4.05.9904250705040.4943-100000@euphoria.yashy.com>


  After nmap'ing yourself, or doing it via Sek on IRC, you will have a
list of open ports.. The simplest/safest way is to close EVERYTHING. 
Unless you are *sure* you want a specific port open, it shouldn't be.
You can do (as root) # ipchains -L
to see your current firewall. For testing purposes, you will want to try
each of these lines manually.. once you have figured out how to make it
perfect for your box, you can throw it in a script (I will assume you are
using a bash shell).
You do this by creating a file that starts with:
#!/bin/sh
# and start any following lines with a # if you want 
# them commented out.
ipchains -A input -p TCP -d any/0 21 -j ACCEPT
ipchains -A input -p TCP -d any/0 22 -j ACCEPT
ipchains -A input -p TCP -d any/0 23 -j REJECT
ipchains -A input -p TCP -d any/0 25 -j ACCEPT
ipchains -A input -p TCP -d any/0 80 -j ACCEPT
ipchains -A input -p TCP -d any/0 110 -j ACCEPT
ipchains -A input -p TCP -d any/0 111 -j REJECT
ipchains -A input -p TCP -d any/0 113 -j ACCEPT
ipchains -A input -p TCP -d any/0 119 -j REJECT
ipchains -A input -p TCP -d any/0 515 -j REJECT
ipchains -A input -p TCP -d any/0 771 -j REJECT
ipchains -A input -p TCP -d any/0 774 -j REJECT
ipchains -A input -p TCP -d any/0 781 -j REJECT
ipchains -A input -p TCP -d any/0 6000 -l -j REJECT
# That is a basic firewall, covering the more common open ports.
# This opens an ftp server, sshd, smtp, www, and ident. You probably
# don't want all of these open.

save that as a file, for example sake "firew", and do 
$ chmod +x firew
you have now made it executable. try $ ./firew          now.
# ipchains -L 
will show you your current firewall, remember? You can use this to see if
it worked..

-A specifies ADD a rule.. substitute it with -D to delete a rule if you
mess up. -p TCP specifies TCP protocol (duh!), you can replace with UDP
and ICMP (or leave out -p for ALL of the above). -d is the destination of
the packet, and -s is the source of the packet. The next number is the
port.. you can get a list of ports from /etc/services, or online at
http://www.technotronic.com/tcpudp.html . -j is what do to, ACCEPT will
accept the packet. DENY will DENY the packet (normal firewall) and REJECT
will drop it as it tries to come in. -l will LOG anything that affects
that rule to syslog ( /var/log/messages probably). 
Once you believe you have blocked everything, port scan yourself once
again and see how successful you were.
This of course is a basic firewall, and will be good enough to prevent
several attacks.

If you get stuck, email me, or find me on IRC.. 

..Yashy - is it 8:30am already? ;) - Yashinski
'If Bill Gates had a dime for every time Windows crashed...
  ... Oh wait a minute, he already does...' - Anonymous

_______
Yashy-Hack                                   http://yashy.com/~monarc/
to unsubscribe:   echo unsubscribe | mail yashy-hack-request@yashy.com