Forum OpenACS Q&A: Response to Up 18 months now only connects on port 22

Collapse
6: Response to Up 18 months now only connects on port 22 (response to 1)
Posted by Stan Kaufman on 08/05/02 11:07 PM
FWIW, here's the portion of my ipchains ruleset running on my firewall box for the servers in my DMZ (the vars $HTTPIP and $SMTPIP are the ip addresses of these servers; $DNSIP1 and $DNSIP2 are dns servers at my ISP).

This follows the "serious example" in the IPCHAINS-HOWTO here: http://www.tldp.org/HOWTO/IPCHAINS-HOWTO-7.html

I presume it would be trivial to convert this from ext-dmz and dmz-ext chains to input and output chains. HTH! 

# EXT to DMZ
#   SMTP to external
#   accept SMTP from internal and external
#   accept HTTP and SSL from internal and external

$IPCHAINS -A ext-dmz -p TCP --sport smtp -j ACCEPT
$IPCHAINS -A ext-dmz -p TCP --sport www -j ACCEPT
$IPCHAINS -A ext-dmz -p TCP -d $SMTPIP smtp -j ACCEPT
$IPCHAINS -A ext-dmz -p TCP -d $SMTPIP pop-3 -j ACCEPT
$IPCHAINS -A ext-dmz -p TCP -d $HTTPIP www -j ACCEPT
$IPCHAINS -A ext-dmz -p TCP -d $HTTPIP 443 -j ACCEPT
$IPCHAINS -A ext-dmz -p UDP -d $HTTPIP 443 -j ACCEPT
$IPCHAINS -A ext-dmz -p TCP --sport auth -j ACCEPT 
$IPCHAINS -A ext-dmz -p TCP -d $HTTPIP auth -j ACCEPT
$IPCHAINS -A ext-dmz -p TCP -s $DNSIP1 domain -j ACCEPT
$IPCHAINS -A ext-dmz -p UDP -s $DNSIP1 domain -j ACCEPT
$IPCHAINS -A ext-dmz -p TCP -s $DNSIP2 domain -j ACCEPT
$IPCHAINS -A ext-dmz -p UDP -s $DNSIP2 domain -j ACCEPT
# cvs
$IPCHAINS -A ext-dmz -p TCP --sport 2401 -j ACCEPT
$IPCHAINS -A ext-dmz -p UDP --sport 2401 -j ACCEPT
#
#$IPCHAINS -A ext-dmz -p ICMP --icmp-type ping -j ACCEPT 
$IPCHAINS -A ext-dmz -p ICMP --icmp-type pong -j ACCEPT 
$IPCHAINS -A ext-dmz -p ICMP -j icmp-acc 
$IPCHAINS -A ext-dmz -j DENY -l

# DMZ to EXT
#   allow SMTP to external
#   accept SMTP from external
#   accept HTTP and SSL from external

$IPCHAINS -A dmz-ext -p TCP -s $SMTPIP smtp -j ACCEPT
$IPCHAINS -A dmz-ext -p TCP --dport smtp -j ACCEPT
$IPCHAINS -A dmz-ext -p TCP -s $SMTPIP pop-3 -j ACCEPT
$IPCHAINS -A dmz-ext -p TCP --dport 113 -j ACCEPT
$IPCHAINS -A dmz-ext -p TCP -s $HTTPIP auth -j ACCEPT
$IPCHAINS -A dmz-ext -p TCP --dport www -j ACCEPT
$IPCHAINS -A dmz-ext -p TCP -s $HTTPIP www -j ACCEPT
$IPCHAINS -A dmz-ext -p TCP --dport ssh -j ACCEPT
$IPCHAINS -A dmz-ext -p TCP --dport ftp -j ACCEPT
$IPCHAINS -A dmz-ext -p TCP --dport ftp-data -j ACCEPT
$IPCHAINS -A dmz-ext -p TCP --dport 443 -j ACCEPT
$IPCHAINS -A dmz-ext -p UDP --dport 443 -j ACCEPT
#cvs
$IPCHAINS -A dmz-ext -p TCP --dport 2401 -j ACCEPT
$IPCHAINS -A dmz-ext -p UDP --dport 2401 -j ACCEPT
#
$IPCHAINS -A dmz-ext -p TCP -d $DNSIP1 53 -j ACCEPT
$IPCHAINS -A dmz-ext -p UDP -d $DNSIP1 53 -j ACCEPT
$IPCHAINS -A dmz-ext -p TCP -d $DNSIP2 53 -j ACCEPT
$IPCHAINS -A dmz-ext -p UDP -d $DNSIP2 53 -j ACCEPT
$IPCHAINS -A dmz-ext -p ICMP --icmp-type ping -j ACCEPT 
$IPCHAINS -A dmz-ext -p ICMP --icmp-type pong -j ACCEPT 
$IPCHAINS -A dmz-ext -p ICMP -j icmp-acc 
$IPCHAINS -A dmz-ext -j DENY -l