597 lines
15 KiB
HTML
597 lines
15 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
|
<TITLE>Linux IPCHAINS-HOWTO: A Serious Example.</TITLE>
|
|
<LINK HREF="IPCHAINS-HOWTO-8.html" REL=next>
|
|
<LINK HREF="IPCHAINS-HOWTO-6.html" REL=previous>
|
|
<LINK HREF="IPCHAINS-HOWTO.html#toc7" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="IPCHAINS-HOWTO-8.html">Next</A>
|
|
<A HREF="IPCHAINS-HOWTO-6.html">Previous</A>
|
|
<A HREF="IPCHAINS-HOWTO.html#toc7">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="s7">7. A Serious Example.</A></H2>
|
|
|
|
<P>This example was extracted from Michael Neuling and my March 1999
|
|
LinuxWorld Tutorial; this is not the only way to solve the given
|
|
problem, but it is probably the simplest. I hope you will find it
|
|
informative.
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="ss7.1">7.1 The Arrangement</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI> Masqueraded internal network (various operating systems), which
|
|
we call "GOOD".
|
|
</LI>
|
|
<LI> Exposed servers in a separate network (called "DMZ" for
|
|
Demilitarized Zone).
|
|
</LI>
|
|
<LI> PPP Connection to the Internet (called "BAD").</LI>
|
|
</UL>
|
|
<P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
External Network (BAD)
|
|
|
|
|
|
|
|
ppp0|
|
|
---------------
|
|
| 192.84.219.1| Server Network (DMZ)
|
|
| |eth0
|
|
| |----------------------------------------------
|
|
| |192.84.219.250 | | |
|
|
| | | | |
|
|
|192.168.1.250| | | |
|
|
--------------- -------- ------- -------
|
|
| eth1 | SMTP | | DNS | | WWW |
|
|
| -------- ------- -------
|
|
| 192.84.219.128 192.84.219.129 192.84.218.130
|
|
|
|
|
Internal Network (GOOD)
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
<H2><A NAME="ss7.2">7.2 Goals</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<P>Packet Filter box:
|
|
<DL>
|
|
<DT><B> PING any network</B><DD><P>This is really useful to tell if a machine is down.
|
|
<P>
|
|
<DT><B> TRACEROUTE any network </B><DD><P>Once again, useful for diagnosis.
|
|
<P>
|
|
<DT><B> Access DNS </B><DD><P>To make ping and DNS more useful.
|
|
<P>
|
|
</DL>
|
|
<P>
|
|
<P>Within the DMZ:
|
|
<P>
|
|
<P>Mail server
|
|
<UL>
|
|
<LI> SMTP to external</LI>
|
|
<LI> Accept SMTP from internal and external</LI>
|
|
<LI> Accept POP-3 from internal</LI>
|
|
</UL>
|
|
<P>Name Server
|
|
<UL>
|
|
<LI> Send DNS to external</LI>
|
|
<LI> Accept DNS from internal, external and packet filter box</LI>
|
|
</UL>
|
|
<P>
|
|
<P>Web server
|
|
<UL>
|
|
<LI> Accept HTTP from internal and external</LI>
|
|
<LI> Rsync access from internal</LI>
|
|
</UL>
|
|
<P>
|
|
<P> Internal:
|
|
<DL>
|
|
<DT><B>Allow WWW, ftp, traceroute, ssh to external</B><DD><P>These are fairly standard things to allow: some places start by
|
|
allowing the internal machines to do just about everything, but here
|
|
we're being restrictive.
|
|
<P>
|
|
<DT><B> Allow SMTP to Mail server </B><DD><P>Obviously, we want them to be able to send mail out.
|
|
<P>
|
|
<DT><B> Allow POP-3 to Mail server </B><DD><P>This is how they read their mail.
|
|
<P>
|
|
<DT><B> Allow DNS to Name server </B><DD><P>They need to be able to look up external names for WWW, ftp,
|
|
traceroute and ssh.
|
|
<P>
|
|
<DT><B> Allow rsync to Web server </B><DD><P>This is how they synchronize the external web server with the
|
|
internal one.
|
|
<P>
|
|
<DT><B> Allow WWW to Web server </B><DD><P>Obviously, they should be able to connect to our external web server.
|
|
<P>
|
|
<DT><B> Allow ping to packet filter box </B><DD><P>This is a courteous thing to allow: it means that they can test if
|
|
the firewall box is down (so we don't get blamed if an external site
|
|
is broken).
|
|
<P>
|
|
</DL>
|
|
<P>
|
|
<H2><A NAME="ss7.3">7.3 Before Packet Filtering</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI> Anti-spoofing
|
|
|
|
<P>Since we don't have any asymmetric routing, we can simply turn on
|
|
anti-spoofing for all interfaces.
|
|
<P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
|
|
#
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
</LI>
|
|
<LI> Set filtering rules to DENY all:
|
|
|
|
<P>We still allow local loopback traffic, but deny anything else.
|
|
<P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
# ipchains -A input -i ! lo -j DENY
|
|
# ipchains -A output -i ! lo -j DENY
|
|
# ipchains -A forward -j DENY
|
|
#
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
</LI>
|
|
<LI> Set Up Interfaces
|
|
|
|
<P>This is usually done in the boot scripts. Make sure the above steps
|
|
are done before the interfaces are configured, to prevent packet
|
|
leakage before the rules are set up.
|
|
<P>
|
|
</LI>
|
|
<LI> Insert per-protocol masquerading modules.
|
|
<P>We need to insert the masquerading module for FTP, so that active and
|
|
passive FTP `just work' from the internal network.
|
|
<P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
# insmod ip_masq_ftp
|
|
#
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</LI>
|
|
</UL>
|
|
<P>
|
|
<H2><A NAME="ss7.4">7.4 Packet Filtering for Through Packets</A>
|
|
</H2>
|
|
|
|
<P>With masquerading, it's best to filter in the forward chain.
|
|
<P>
|
|
<P>Split forward chain into various user chains depending on source/dest
|
|
interfaces; this breaks the problem down into managable chunks.
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
ipchains -N good-dmz
|
|
ipchains -N bad-dmz
|
|
ipchains -N good-bad
|
|
ipchains -N dmz-good
|
|
ipchains -N dmz-bad
|
|
ipchains -N bad-good
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>ACCEPTing standard error ICMPs is a common thing to do, so we create a
|
|
chain for it.
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
ipchains -N icmp-acc
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
<H3>Set Up Jumps From forward Chain</H3>
|
|
|
|
<P>Unfortunately, we only know (in the forward chain) the outgoing
|
|
interface. Thus, to figure out what interface the packet came in on,
|
|
we use the source address (the anti-spoofing prevents address faking).
|
|
<P>
|
|
<P>Note that we log anything which doesn't match any of these (obviously,
|
|
this should never happen).
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
ipchains -A forward -s 192.168.1.0/24 -i eth0 -j good-dmz
|
|
ipchains -A forward -s 192.168.1.0/24 -i ppp0 -j good-bad
|
|
ipchains -A forward -s 192.84.219.0/24 -i ppp0 -j dmz-bad
|
|
ipchains -A forward -s 192.84.219.0/24 -i eth1 -j dmz-good
|
|
ipchains -A forward -i eth0 -j bad-dmz
|
|
ipchains -A forward -i eth1 -j bad-good
|
|
ipchains -A forward -j DENY -l
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
<H3>Define the icmp-acc Chain</H3>
|
|
|
|
<P>Packets which are one of the error ICMPs get ACCEPTed, otherwise,
|
|
control will pass back to the calling chain.
|
|
<P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
|
|
ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
|
|
ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
|
|
ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
<H3>Good (Internal) to DMZ (Servers)</H3>
|
|
|
|
<P>Internal restrictions:
|
|
<UL>
|
|
<LI> Allow WWW, ftp, traceroute, ssh to external</LI>
|
|
<LI> <B>Allow SMTP to Mail server</B></LI>
|
|
<LI> <B>Allow POP-3 to Mail server</B></LI>
|
|
<LI> <B>Allow DNS to Name server</B></LI>
|
|
<LI> <B>Allow rsync to Web server</B></LI>
|
|
<LI> <B>Allow WWW to Web server</B></LI>
|
|
<LI> Allow ping to packet filter box</LI>
|
|
</UL>
|
|
<P>Could do masquerading from internal network into DMZ, but here we
|
|
don't. Since noone in the internal network should be trying to do
|
|
evil things, we log any packets that get denied.
|
|
<P>
|
|
<P>Note that old versions of Debian called `pop3' `pop-3' in
|
|
/etc/services, which disagrees with RFC1700.
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
ipchains -A good-dmz -p tcp -d 192.84.219.128 smtp -j ACCEPT
|
|
ipchains -A good-dmz -p tcp -d 192.84.219.128 pop3 -j ACCEPT
|
|
ipchains -A good-dmz -p udp -d 192.84.219.129 domain -j ACCEPT
|
|
ipchains -A good-dmz -p tcp -d 192.84.219.129 domain -j ACCEPT
|
|
ipchains -A good-dmz -p tcp -d 192.84.218.130 www -j ACCEPT
|
|
ipchains -A good-dmz -p tcp -d 192.84.218.130 rsync -j ACCEPT
|
|
ipchains -A good-dmz -p icmp -j icmp-acc
|
|
ipchains -A good-dmz -j DENY -l
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
<P>
|
|
<H3>Bad (external) to DMZ (servers).</H3>
|
|
|
|
<P>
|
|
<P>
|
|
<UL>
|
|
<LI> DMZ restrictions:
|
|
<UL>
|
|
<LI> Mail server
|
|
<UL>
|
|
<LI> <B>SMTP to external</B></LI>
|
|
<LI> <B>Accept SMTP from</B> internal and <B>external</B></LI>
|
|
<LI> Accept POP-3 from internal</LI>
|
|
</UL>
|
|
|
|
</LI>
|
|
<LI> Name server
|
|
<UL>
|
|
<LI> <B>Send DNS to external</B></LI>
|
|
<LI> <B>Accept DNS from</B> internal, <B>external</B> and packet filter box</LI>
|
|
</UL>
|
|
|
|
</LI>
|
|
<LI> Web server
|
|
<UL>
|
|
<LI> <B>Accept HTTP from</B> internal and <B>external</B></LI>
|
|
<LI> Rsync access from internal</LI>
|
|
</UL>
|
|
</LI>
|
|
</UL>
|
|
|
|
</LI>
|
|
<LI> Things we allow from external network to DMZ.
|
|
<UL>
|
|
<LI> Don't log violations, as they may happen.</LI>
|
|
</UL>
|
|
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
ipchains -A bad-dmz -p tcp -d 192.84.219.128 smtp -j ACCEPT
|
|
ipchains -A bad-dmz -p udp -d 192.84.219.129 domain -j ACCEPT
|
|
ipchains -A bad-dmz -p tcp -d 192.84.219.129 domain -j ACCEPT
|
|
ipchains -A bad-dmz -p tcp -d 192.84.218.130 www -j ACCEPT
|
|
ipchains -A bad-dmz -p icmp -j icmp-acc
|
|
ipchains -A bad-dmz -j DENY
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</LI>
|
|
</UL>
|
|
<P>
|
|
<H3>Good (internal) to Bad (external).</H3>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI> Internal restrictions:
|
|
<UL>
|
|
<LI> <B>Allow WWW, ftp, traceroute, ssh to external</B></LI>
|
|
<LI> Allow SMTP to Mail server</LI>
|
|
<LI> Allow POP-3 to Mail server</LI>
|
|
<LI> Allow DNS to Name server</LI>
|
|
<LI> Allow rsync to Web server</LI>
|
|
<LI> Allow WWW to Web server</LI>
|
|
<LI> Allow ping to packet filter box</LI>
|
|
</UL>
|
|
</LI>
|
|
<LI> Many people allow everything from the internal to external networks,
|
|
then add restrictions. We're being fascist.
|
|
<UL>
|
|
<LI> Log violations.</LI>
|
|
<LI> Passive FTP handled by masq. module.</LI>
|
|
<LI> UDP destination ports 33434 and up are used by traceroute.</LI>
|
|
</UL>
|
|
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
ipchains -A good-bad -p tcp --dport www -j MASQ
|
|
ipchains -A good-bad -p tcp --dport ssh -j MASQ
|
|
ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
|
|
ipchains -A good-bad -p tcp --dport ftp -j MASQ
|
|
ipchains -A good-bad -p icmp --icmp-type ping -j MASQ
|
|
ipchains -A good-bad -j REJECT -l
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</LI>
|
|
</UL>
|
|
<P>
|
|
<H3>DMZ to Good (internal).</H3>
|
|
|
|
<P>
|
|
<P>
|
|
<UL>
|
|
<LI> Internal restrictions:
|
|
<UL>
|
|
<LI> Allow WWW, ftp, traceroute, ssh to external</LI>
|
|
<LI> <B>Allow SMTP to Mail server</B></LI>
|
|
<LI> <B>Allow POP-3 to Mail server</B></LI>
|
|
<LI> <B>Allow DNS to Name server</B></LI>
|
|
<LI> <B>Allow rsync to Web server</B></LI>
|
|
<LI> <B>Allow WWW to Web server</B></LI>
|
|
<LI> Allow ping to packet filter box</LI>
|
|
</UL>
|
|
|
|
</LI>
|
|
<LI> If we were masquerading from the internal network to the DMZ, simply
|
|
refuse any packets coming the other way. As it is, only allow packets
|
|
which might be part of an established connection.
|
|
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
ipchains -A dmz-good -p tcp ! -y -s 192.84.219.128 smtp -j ACCEPT
|
|
ipchains -A dmz-good -p udp -s 192.84.219.129 domain -j ACCEPT
|
|
ipchains -A dmz-good -p tcp ! -y -s 192.84.219.129 domain -j ACCEPT
|
|
ipchains -A dmz-good -p tcp ! -y -s 192.84.218.130 www -j ACCEPT
|
|
ipchains -A dmz-good -p tcp ! -y -s 192.84.218.130 rsync -j ACCEPT
|
|
ipchains -A dmz-good -p icmp -j icmp-acc
|
|
ipchains -A dmz-good -j DENY -l
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</LI>
|
|
</UL>
|
|
<P>
|
|
<H3>DMZ to bad (external).</H3>
|
|
|
|
<P>
|
|
<P>
|
|
<UL>
|
|
<LI> DMZ restrictions:
|
|
<UL>
|
|
<LI> Mail server
|
|
<UL>
|
|
<LI> <B>SMTP to external</B></LI>
|
|
<LI> <B>Accept SMTP from</B> internal and <B>external</B></LI>
|
|
<LI> Accept POP-3 from internal</LI>
|
|
</UL>
|
|
|
|
</LI>
|
|
<LI> Name server
|
|
<UL>
|
|
<LI> <B>Send DNS to external</B></LI>
|
|
<LI> <B>Accept DNS from</B> internal, <B>external</B> and packet filter box</LI>
|
|
</UL>
|
|
|
|
</LI>
|
|
<LI> Web server
|
|
<UL>
|
|
<LI> <B>Accept HTTP from</B> internal and <B>external</B></LI>
|
|
<LI> Rsync access from internal</LI>
|
|
</UL>
|
|
</LI>
|
|
</UL>
|
|
|
|
</LI>
|
|
<LI>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
ipchains -A dmz-bad -p tcp -s 192.84.219.128 smtp -j ACCEPT
|
|
ipchains -A dmz-bad -p udp -s 192.84.219.129 domain -j ACCEPT
|
|
ipchains -A dmz-bad -p tcp -s 192.84.219.129 domain -j ACCEPT
|
|
ipchains -A dmz-bad -p tcp ! -y -s 192.84.218.130 www -j ACCEPT
|
|
ipchains -A dmz-bad -p icmp -j icmp-acc
|
|
ipchains -A dmz-bad -j DENY -l
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</LI>
|
|
</UL>
|
|
<P>
|
|
<H3>Bad (external) to Good (internal).</H3>
|
|
|
|
<P>
|
|
<P>
|
|
<UL>
|
|
<LI> We don't allow anything (non-masqueraded) from the external network
|
|
to the internal network
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
ipchains -A bad-good -j REJECT
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</LI>
|
|
</UL>
|
|
<P>
|
|
<H3>Packet Filtering for the Linux Box Itself</H3>
|
|
|
|
<P>
|
|
<P>
|
|
<UL>
|
|
<LI> If we want to use packet filtering on packets coming into the box
|
|
itself, we need to do filtering in the input chain. We create one
|
|
chain for each destination interface:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
ipchains -N bad-if
|
|
ipchains -N dmz-if
|
|
ipchains -N good-if
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
</LI>
|
|
<LI> Create jumps to them:
|
|
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
ipchains -A input -d 192.84.219.1 -j bad-if
|
|
ipchains -A input -d 192.84.219.250 -j dmz-if
|
|
ipchains -A input -d 192.168.1.250 -j good-if
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</LI>
|
|
</UL>
|
|
<P>
|
|
<H3>Bad (external) interface.</H3>
|
|
|
|
<P>
|
|
<P>
|
|
<UL>
|
|
<LI> Packet Filter box:
|
|
<UL>
|
|
<LI> <B>PING any network</B></LI>
|
|
<LI> <B>TRACEROUTE any network</B></LI>
|
|
<LI> Access DNS</LI>
|
|
</UL>
|
|
|
|
</LI>
|
|
<LI> External interface also receives replies to masqueraded packets
|
|
(masquerading uses source ports 61000 to 65095) and ICMP errors for
|
|
them and PING replies.
|
|
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
ipchains -A bad-if -i ! ppp0 -j DENY -l
|
|
ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT
|
|
ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT
|
|
ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT
|
|
ipchains -A bad-if -j icmp-acc
|
|
ipchains -A bad-if -j DENY
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</LI>
|
|
</UL>
|
|
<P>
|
|
<H3>DMZ interface.</H3>
|
|
|
|
<P>
|
|
<P>
|
|
<UL>
|
|
<LI> Packet Filter box restrictions:
|
|
<UL>
|
|
<LI> <B>PING any network</B></LI>
|
|
<LI> <B>TRACEROUTE any network</B></LI>
|
|
<LI> <B>Access DNS</B></LI>
|
|
</UL>
|
|
|
|
</LI>
|
|
<LI> DMZ interface receives DNS replies, ping replies and ICMP errors.
|
|
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
ipchains -A dmz-if -i ! eth0 -j DENY
|
|
ipchains -A dmz-if -p TCP ! -y -s 192.84.219.129 53 -j ACCEPT
|
|
ipchains -A dmz-if -p UDP -s 192.84.219.129 53 -j ACCEPT
|
|
ipchains -A dmz-if -p ICMP --icmp-type pong -j ACCEPT
|
|
ipchains -A dmz-if -j icmp-acc
|
|
ipchains -A dmz-if -j DENY -l
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</LI>
|
|
</UL>
|
|
<P>
|
|
<H3>Good (internal) interface.</H3>
|
|
|
|
<P>
|
|
<P>
|
|
<UL>
|
|
<LI> Packet Filter box restrictions:
|
|
<UL>
|
|
<LI> <B>PING any network</B></LI>
|
|
<LI> <B>TRACEROUTE any network</B></LI>
|
|
<LI> <B>Access DNS</B></LI>
|
|
</UL>
|
|
|
|
</LI>
|
|
<LI> Internal restrictions:
|
|
<UL>
|
|
<LI> Allow WWW, ftp, traceroute, ssh to external</LI>
|
|
<LI> Allow SMTP to Mail server</LI>
|
|
<LI> Allow POP-3 to Mail server</LI>
|
|
<LI> Allow DNS to Name server</LI>
|
|
<LI> Allow rsync to Web server</LI>
|
|
<LI> Allow WWW to Web server</LI>
|
|
<LI> <B>Allow ping to packet filter box</B></LI>
|
|
</UL>
|
|
|
|
</LI>
|
|
<LI> Internal interface receives pings, ping replies and ICMP errors.
|
|
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
ipchains -A good-if -i ! eth1 -j DENY
|
|
ipchains -A good-if -p ICMP --icmp-type ping -j ACCEPT
|
|
ipchains -A good-if -p ICMP --icmp-type pong -j ACCEPT
|
|
ipchains -A good-if -j icmp-acc
|
|
ipchains -A good-if -j DENY -l
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</LI>
|
|
</UL>
|
|
<P>
|
|
<H2><A NAME="ss7.5">7.5 Finally</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI> Delete blocking rules:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
ipchains -D input 1
|
|
ipchains -D forward 1
|
|
ipchains -D output 1
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</LI>
|
|
</UL>
|
|
<P>
|
|
<HR>
|
|
<A HREF="IPCHAINS-HOWTO-8.html">Next</A>
|
|
<A HREF="IPCHAINS-HOWTO-6.html">Previous</A>
|
|
<A HREF="IPCHAINS-HOWTO.html#toc7">Contents</A>
|
|
</BODY>
|
|
</HTML>
|