[H-GEN] Ipchains

Willie Yeo willie at ssc.qld.edu.au
Wed Apr 26 02:19:31 EDT 2000


[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics.  Please observe the list's charter.          ]

On Sun, 23 Apr 2000, yh tan wrote:

> .Query 1.
> i need some advice on the Forward Policy ruling. let's say i'm MASQ the
> traffic from 10.10.10.0/24 to anywhere. and i would like to deny some
> forwarding request, for example, outgoing FTP. If my output & input are on
> already in ACCEPT mode.
> 
> On the forward chain: do i first insert MASQ rule, then the deny ftp rule,
> then the allow all others? is this sequence appropriate?

	Well, when you do a MASQ to forward, it will take on the machine's
IP address. So all input and output chains are already ACCEPTing.

	You can then bar outgoing FTP in the forward chain.

	ipchains -A forward -p tcp -s 10.10.10.0/24 21 -d 0/0 -j DENY

> like to hear your different opinions on ipchains.

	I tend to DENY all then allow whatever I want.

> .Query 2.
> the input ftp request has some problem establishing the "data socket". is it
> gotta do with the unprivilege ports?

	Well, you banned your output FTP, i.e. input ftp requests goes in,
and then the acknowledgement cannot be sent out as the output is banned.


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.



More information about the General mailing list