[Dshield] IP Chains.

Clint Byrum cbyrum at erp.com
Wed Oct 17 19:27:00 GMT 2001


Donnie C. Moss wrote:

>All,
>
>Does any one know how to setup an ipchains rule that will allow only
>established connections through?  My goal is to close all ports not used
>(even those greater than 1024) but still allow traffic through them as a
>responce to a legimitate request.
>
Not really. Not "the right way". You can make a semi-stateful Linux 2.2 
firewall by utilizing some of the miscellaneous masq modules and such.. 
but its not worth the effort or flakiness. Upgrade to Linux 2.4, and use 
iptables with the ip_conntrack module. It will do what you want. 
iptables is also a lot more powerful than ipchains.

The downside is you'll have to port all those wonderful rules you've 
written for ipchains,  to iptables.

In the mean time, you CAN block all SYN's to invalid ports, which would 
prevent incoming connections, but not outgoing. This is done with the 
--syn or -y flag.

<snip>






More information about the list mailing list