[linux-users:77263] Re: how to shut off all ports with ipchains(was Re: Re: $B0l(B

$BHwA0$G$9!#5$NO2sI|$;$:$J$N$G$6$C$/$j$H!#(B

At Wed, 6 Dec 2000 08:19:27 +0900,
MATSUDA Yoh-ichi / $B>>EDM[0l(B <matsuda _at_ palnet.or.jp> wrote:

> $B:GDc8B!"30It$X$N%5!<%S%9$r9T$&I,MW$,L5$$$J$i!"ITMW$J%]!<%H$OJD$a(B
> $B$J$1$l$P$J$i$J$$$H;W$$$^$9!#(B

$B30It$X%5!<%S%9$r9T$J$&>l9g$@$C$F!"ITMW$J(Bport$B$O3+$1$F$*$/$Y$-$G$O$"$j$^(B
$B$;$s(B($BMH$2B-.8B$N$b$N$rL@<(E*$K5v2D!#$=$l0J30$r5qH]!#(B

$B$G9M$($F$$$^$9!#$=$l$H!"=gHV$r>/$7F~$lBX$($F$$$^$9!#(B

> # ppp-in $B%A%'%$%s$N@_Dj(B (ipchains-mini-HOWTO $B$h$j(B)
> /sbin/ipchains -N ppp-in
> /sbin/ipchains -A input -i ppp0 -j ppp-in

$B$3$l$K2C$($F(B

/sbin/ipchains -N ppp-out
/sbin/ipchains -A output -i ppp0 -j ppp-out


> # $B%]!<%H(B 6000, 7000 $B$r(B DENY
> /sbin/ipchains -A ppp-in -p tcp -s 0/0 -d $PPP_LOCAL 6000 -j DENY -l
> /sbin/ipchains -A ppp-in -p tcp -s 0/0 -d $PPP_LOCAL 7000 -j DENY -l

$B$3$N8e$N@_Dj$r9M$($k$H!"$A$g$C$H0UL#$,$o$+$j$^$;$s!#(B

> # ip $B56Au$r(B DENY
> /sbin/ipchains -A ppp-in -s 192.168.10.0/24 -j DENY -l

$B$3$3$O!"%W%i%$%Y!<%H%"%I%l%9NN0hA4$F$KBP$7$F9T$J$C$?J}$,$$$$$G$9!#(B

ipchains -A ppp-in -s 10.0.0.0/8 -j DENY -l
ipchains -A ppp-in -s 172.16.0.0/12 -j DENY -l
ipchains -A ppp-in -s 192.168.0.0/16 -j DENY -l

$B$=$l$+$i!"Ev$?$jA0$G$9$,!"%W%i%$%Y!<%H08$N%Q%1%C%H$,30$K=P$F9T$/$N$bL/(B
$B$G$9$+$i!";_$a$^$9!#(B

ipchains -A ppp-out -s 0/0 -d 10.0.0.0/8 -j DENY -l
ipchains -A ppp-out -s 0/0 -d 172.16.0.0/12 -j DENY -l
ipchains -A ppp-out -s 0/0 -d 192.168.0.0/16 -j DENY -l

$B$=$l$+$i!"(BWindows$B$,%m!<%+%k%M%C%H$K$$$k$N$J$i!"(B

ipchains -A ppp-out -s 0/0 -d 0/0 137:139 -p udp -j DENY
ipchains -A ppp-out -s 0/0 -d 0/0 137:139 -p tcp -j DENY

$B$OI,MW$G$7$g$&!#(B-l $B$O$&$k$5$$$N$G$"$($F$D$1$^$;$s!#(B

> # $B%]!<%H(B 1024$B!A(B65535 $B$N(B tcp syn $B%Q%1%C%H$r(B DENY
> /sbin/ipchains -A ppp-in -s 0/0 -d $PPP_LOCAL 1024:65535 -p tcp -y -j DENY -l

$B$3$l2?$@$+$h$/$o$+$i$J$$$s$G$9$,!"FC8"%]!<%H$X$N@\B3$O5v2D$9$k$s$G$9$+(B? 
$B$D$^$j!"30It$+$i$N@\B3$r5v2D$9$k%G!<%b%s$,%@%$%d%k%"%C%W%k!<%?%^%7%s>e(B
$B$GF0$$$F$k$C$F$3$H$G$7$g$&$+!#$@$H$7$?$i!"FC8"%]!<%HA4$F$r3+$1$k$h$&$J(B
$B$3$H$O$;$:!"I,MW$J%]!<%H$N$_$rL@<($7$F3+$1$k$Y$-$@$H;W$$$^$9!#(B

Web$B%5!<%S%9$rN)$F$k>l9g(B
/sbin/ipchains -A ppp-in -s 0/0 -d $PPP_LOCAL 80 -p tcp -j ACCEPT

sshd$B$rN)$F$k>l9g(B
/sbin/ipchains -A ppp-in -s 0/0 -d $PPP_LOCAL 22 -p tcp -j ACCEPT

$B$G!"$=$l0J30A4It$N(BSYN$B$rC!$-Mn$H$9(B
/sbin/ipchains -A ppp-in -s 0/0 -d $PPP_LOCAL -p tcp -y -j DENY -l

> # $B%]!<%H(B 1024$B!A(B65535 $B$N(B syn $B%Q%1%C%H0J30$N(B tcp $B%Q%1%C%H$r(B ACCEPT
> /sbin/ipchains -A ppp-in -s 0/0 -d $PPP_LOCAL 1024:65535 -p tcp ! -y -j ACCEPT

$B$3$l$O$^$!!"$=$&$$$&%]%j%7!<$J$i$$$$$s$8$c$J$$$G$7$g$&$+!#(B

> # $B%]!<%H(B 1024$B!A(B65535 $B$N(B udp $B%Q%1%C%H$r(B ACCEPT
> # $B$3$l$r;XDj$7$J$$$H(B DNS $B;2>H$,$G$-$J$$(B
> /sbin/ipchains -A ppp-in -s 0/0 -d $PPP_LOCAL 1024:65535 -p udp -j ACCEPT

$B@h$N%a!<%k$K=q$$$?$h$&$K!"(BDNS$B;2>H$N$?$a$@$1$@$C$?$i(B
/sbin/ipchain -A ppp-in -s 0/0 53 -d $PPP_LOCAL 1024:65535 -p udp -j ACCEPT

> # ssh $B$r(B ACCEPT
> /sbin/ipchains -A ppp-in -p tcp -s 0/0 -d 0/0 ssh -j ACCEPT

$B$3$l$O>e$K=q$-$^$7$?(B($B=q$-J}$H0U?^$,$A$g$C$H0c$&$1$I(B)$B!#(B

> /sbin/ipchains -A ppp-in -p udp -s 0/0 -d 0/0 ssh -j ACCEPT

$B$3$l$O$$$j$^$;$s!#(B

> # $B0lIt$N(B pop server $B$N0Y$K(B auth $B$r(B ACCEPT
> /sbin/ipchains -A ppp-in -p tcp -s 0/0 -d 0/0 auth -j ACCEPT

$B$3$l$C$F!"(Bidentd $B$,N)$C$F$k$C$F$3$H$J$s$G$9$+(B? $B%@%$%d%k%"%C%W%f!<%6$,(B
$BN)$F$k$h$&$J$b$N$G$O$J$$$h$&$K$b;W$$$^$9$,!#(B

> # ntp $B$r(B ACCEPT
> /sbin/ipchains -A ppp-in -p tcp -s 0/0 -d 0/0 ntp -j ACCEPT
> /sbin/ipchains -A ppp-in -p udp -s 0/0 -d 0/0 ntp -j ACCEPT

ntpd $B$H(B ntpdate $B$r;H$$!"$+$D(B ntpdate -d $B$r;H$o$J$$$N$G$"$l$P(B

/sbin/ipchains -A ppp-in -s 0/0 123 -d $PPP_LOCAL 123 -p udp -j ACCEPT

$B$G$$$$$O$:$G$9!#$5$i$K!";2>H$7$F$$$k(BNTP$B%5!<%P$,7h$^$C$F$$$k$N$G$"$l$P!"(B
$B;OE@(BIP$B%"%I%l%9$rL@<($7$F$b$$$$$+$b$7$l$^$;$s!#(B

> # ping $B$r(B ACCEPT
> /sbin/ipchains -A ppp-in -p icmp -s 0/0 echo-reply -d 0/0 -j ACCEPT
> 
> # "destination unreachable" $B$r(B ACCEPT
> /sbin/ipchains -A ppp-in -p icmp -s 0/0 destination-unreachable -d 0/0 -j ACCEPT
> 
> # ping $B$r(B ACCEPT
> /sbin/ipchains -A ppp-in -p icmp -s 0/0 echo-request -d 0/0 -j ACCEPT
> 
> # traceroute $B$r(B ACCEPT
> /sbin/ipchains -A ppp-in -p icmp -s 0/0 time-exceeded -d 0/0 -j ACCEPT

$B$3$N$"$?$j$O$^$!9%$_$G$9$M!#%;%-%e%j%F%#E*$K$ODL$5$J$$J}$,$$$$$h$&$K$b(B
$B;W$$$^$9$,!"MxJX@-$OMn$A$^$9!#(B

> # $B>e5-0J30$O(B DENY
> /sbin/ipchains -A ppp-in -j DENY -l

$B4pK\$G$9$M(B :-)

> $B$3$3$Ge5-@_Dj$G!"(B
>     $B!&(Bssh, auth, ntp $B0J30$N(B well-known $B%]!<%H$rJD$a$?(B
>     $B!&(B1024$BHV0J9_$N%]!<%H$O(B SYN $B%Q%1%C%H$r%V%m%C%/$9$k$h$&$K$7$?(B
>     $B$H;W$$$^$9$,!">e5-FbMF$K2?=h$+ITHw$O$"$k$G$7$g$&$+(B?

$B$H$$$&$o$1$G!"$6$C$/$j8!>Z$7$F$_$^$7$?!#$C$F!"$"$/$^$G;W9MZ$9$k$N$G$"$l$P!"A4It$K(B -l $B$r$D$1!"$5$i$K(B tcpdump $B$J$>(B
$B$r6n;H$7$D$D!"(Bnmap$B$d(Bnessus$B$r$+$1$k$3$H$K$J$k$G$7$g$&!#Z:n6H$r$7$F$$$^$9!#(B


-- $BHwA0(B $BC#Lp(B
   *.doc/*.xls/*.ppt/*.mdb/HTML$B%a!<%k$OFI$^$:$K





$B$3$N>pJs$,$"$J$?$NC5$7$F$$$?$b$N$+$I$&$+A*Br$7$F$/$@$5$$!#(B

yes/$B$^$5$K$3$l$@!*(B
  no/$B0c$&$J$!(B
  part/$B0lIt8+$D$+$C$?(B
  try/$B$3$l$G;n$7$F$_$k(B



$B$"$J$?$,C5$7$F$$$?>pJs$O$I$N$h$&$J$3$H$+!"$4<+M3$K5-F~2<$5$$!#FC$K!V$^$5$K$3$l$@!*!W$H8@$&>l9g$O5-F~$r$*4j$$$7$^$9!#(B

$BNc(B:$B!VJ#?t$N%^%7%s$+$i(BCATV$B7PM3$G(Bipmasquerade$B$rMxMQ$7$F(BWeb$B$r;2>H$7$?$$>l9g$N@_Dj$K$D$$$F!W(B



Follow-Ups:

[linux-users:77279] Re: how to shut off all ports withipchains (was Re:  Re:$B0lHV4JC1$J%;%-%e%j%F%#!MATSUDA Yoh-ichi / $B>>EDM[0l(B

[linux-users:77749] Re: how to shut off all ports withipchains (was Re:  Re:$B0lHV4JC1$J%;%-%e%j%F%#!MATSUDA Yoh-ichi / $B>>EDM[0l(B




References:

[linux-users:77125] Re: $B0lHV4JC1$J%;%-%e%j%F%#!OOSATO,Kazzrou

[linux-users:77127] Re: $B0lHV4JC1$J%;%-%e%j%F%#!MATSUDA Yoh-ichi / $B>>EDM[0l(B

[linux-users:77131] Re: $B0lHV4JC1$J%;%-%e%j%F%#!Tatsuya BIZENN

[linux-users:77177] how to shut off all ports with ipchains (was Re: Re:$B0lHV4JC1$J%;%-%e%j%F%#!MATSUDA Yoh-ichi / $B>>EDM[0l(B






Prev by Subject:
[linux-users:77262] Re: ping$BB>%M%C%H%o!<%/>e$N%[%9%H(B

Next by Subject:
[linux-users:77264] Re: $B%Q%i%l%k%]!<(B $B%H@\B3#s#c#s#i$N@5BN$r$4B8CN$J$$$G$9(B $B$+!)(B


Previous by thread:
[linux-users:77177] how to shut off all ports with ipchains (was Re: Re:$B0lHV4JC1$J%;%-%e%j%F%#!

Next by thread:
[linux-users:77279] Re: how to shut off all ports withipchains (was Re:  Re:$B0lHV4JC1$J%;%-%e%j%F%#!


Indexes:[Main][Thread]