[prev in list] [next in list] [prev in thread] [next in thread] 

List:       e-smith-devinfo
Subject:    Re: [e-smith-devinfo] Limiting pptp to terminal services only
From:       "Cyrus Bharda" <cyrus () langs ! net ! au>
Date:       2003-08-12 6:30:54
[Download RAW message or body]


OK, correction found:

NO : before the port as this specifies a range, and I only want this
specific port so rule should now read:

ipchains -A input -s 192.168.0.210/220 ! 3389 -i ppp+ -j DENY -l

I'll get it right someday I hope, also I have looked at some custom rules on
this forum in various threads and some of them have -A and some have -I,
which should I use?

I know the difference, -A is add a rule, and -I is input a rule into the
current ruleset right?

Thanks again :-)

Cyrus Bharda

Cyrus Bharda wrote:
: OK Everyone,
:
: To bring you up to speed, I am trying to limit incoming pptp
: connections to only have access to port 3389, for full explanation
: please see:
:
: http://www.e-smith.org/bboard/read.php?f=3&i=34876&t=34797
:
: So, I Just took a crash course in ipchains as I still use 5.5 (which
: can be found here
: http://www.contribs.org/contribs/cbharda/howto/IPCHAINS-HOWTO.htm and
: really is good reading, but somewhat outdated now that 5.6 runs on
: iptables :-)) and have come up with this rule:
:
: ipchains -A input -s 192.168.0.210/220 ! :3389 -i ppp+ -j DENY -l
:
: It's supposed to do this:
:
: Any packets coming from 192.168.0.210 through to 192.168.0.220 on any
: ports BUT 3389 from any ppp devices will be Denied.
:
: Is that right?
:
: here's my thoughts on it:
:
: 1. -A is to add it, but where I do not know yet :-) or should this be
: -I (as in capital i, just cause it looks like an lowercase L)?
: 2. I want any packets coming from the range of IP's so this makes
: this rule an input rule, hence the input argument
: 3.192.168.0.210 to 192.168.0.220 is specified in /etc/pptpd.conf as
: the range I want to use, hence the 192.168.0.210/220
: 4. I want to block all ports but 3389, (which is the terminal service
: port), hence the ! :3389
: 5. the -i ppp+ part is to not block local connections on these ip's
: just those connecting through ppp devices, which really is not
: necessary, but just thought it might be nice, just in case a local
: computer grabs one of the assigned IP's for any reason.
: 6. -j DENY -l is there to drop the packet as if it never existed,
: note that if you have DENY logging turned on, you will see these
: denyed packets in your /var/logs/messages log.
:
: Have I got that right?
:
: Is there anything I have missed, or not correctly used?
:
: Where about do I put this line? Obviously I need to make a template,
: but of which file, /etc/rd.d/init.d/masq ?
:
: Do I need to put it in a file, or once I have added it then that's it?
:
: Thanks again for your help!
:
: After I get this going I'll look at setting up a 5.6 test box so I
: can then work on an iptables rule :-) or if anyone out there could
: save me the time I would greatly appreciate it!
:
: Cyrus Bharda


--
Please report bugs to smebugs@mitel.com
Please mail smesecurity@mitel.com (only) to discuss security issues
Support for registered customers and partners to smesupport@mitel.com
To unsubscribe, e-mail: devinfo-unsubscribe@lists.e-smith.org
For additional commands, e-mail: devinfo-help@lists.e-smith.org
Searchable archive at http://www.mail-archive.com/devinfo%40lists.e-smith.org

[prev in list] [next in list] [prev in thread] [next in thread]