[H-GEN] IP Tables Question
Andrew Pullin
andrew at hotspurbgc.com.au
Mon Sep 10 10:40:53 EDT 2007
Hi Guys (and Gals),
OK I have had a little feedback, I made an error, I didn't mean IP Chains in
my last email, I meant IP Tables (I am not a noob, it has just been ages
since I had to worry about this sort of stuff). Here is my original email
with the amended info that will make it make a bit more sense.
My ISP has decided that I need a new range of IP addresses since he has
changed over his addresses to a different range. I am quite confident in
changing the network over, but I am quite inexperienced in the use of IP
Tables.
When I set up my network, I had a friendly HUMBUGer assisted me in locking
down the system with IP Tables and I have never had either any problems, nor
needed to change the original configuration. Now I will need to change the
configuration, and being basically lazy (like many *nix users), I don't want
to learn (right now) the intricassies of IP Tables for just one job. I just
want a quick and dirty (but safe and secure) method to change the IP Tables
config file until I can get the time to learn it properly.
So my question is:
Can I do something simple like a search and replace of my new IP Address
range for the old IP address range in the IP Tables config file, or do I
need to
rebuild the file from some tool or some other convoluted method.
As I said, I only need to do this once, so I really don't want to spend
hours(days) researching this for one job. So if anyone can help, or if
anyone is willing to come over and spend half an hour in Zillmere/Aspley for
free or some small token fee (six pack of beer etc). I would be most
appreciative. The change over will probably occur in the next week or so, so
I need to know soonish.
Network info (for those who asked)
Modem-Firewall
Firewall-private network
Unnecessary ports closed
protected by IP chains and IP tables
hosts.deny
ALL : ALL
hosts.allow
sshd : my subnet range (locked down from outside after a successful brute
force penetration)
sshd : 192.168.0.0/255.255.255.0
in.telnetd : ALL (bacup only - never used but always monitored)
httpd : ALL
#in.ftpd : ALL
ALL : 127.0.0.1
ALL : my subnet range
ALL : 192.168.0.0/255.255.255.0
iptables v1.2.7a
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
eth0-in all -- anywhere anywhere
eth1-in all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
eth0-eth1 all -- anywhere anywhere
eth1-eth0 all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
eth0-out all -- anywhere anywhere
eth1-out all -- anywhere anywhere
Chain eth0-eth1 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED
Chain eth0-in (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ftp flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ssh flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:smtp flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:http flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:https flags:SYN,RST,ACK/SYN
Chain eth0-out (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED
ACCEPT icmp -- anywhere anywhere state NEW icmp
echo-request
ACCEPT udp -- anywhere anywhere state NEW udp
dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp
dpts:traceroute:33524
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ssh flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:smtp flags:SYN,RST,ACK/SYN
Chain eth1-eth0 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED
ACCEPT all -- anywhere anywhere state NEW
Chain eth1-in (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED
ACCEPT all -- anywhere anywhere state NEW
Chain eth1-out (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ssh
I haven't got a clue what all that IP Tables stuff means, but it works
(hence my problem and questions). BTW where is this info or the config file
stored? I had a quick look in etc, but it wasn't immediatly recognisable,
but I may have missed it.
Thanks in advance
Cheers!
Andrew
More information about the General
mailing list