[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipchains-list
Subject:    Re: Setting the default policy
From:       raf <raf () raf ! org>
Date:       2001-10-28 5:44:06
[Download RAW message or body]

Carl King wrote:

> Hi,
> 
>     I am having a problem with setting policies. If I set the default 
> input policy:
> 
> ipchains -P input DENY
> 
> Then add some rules of acceptance:
> 
> ipchains -A input -p TCP -s $REMOTE_HOST -d $local_ip -i eth0 -j ACCEPT -y
> ipchains -A input -p UDP -s $REMOTE_HOST -d $local_ip -i eth0 -j ACCEPT
> ipchains -A input -p ICMP -s $REMOTE_HOST -d $local_ip -i eth0 -j ACCEPT
> (the variables here are only for illustration, I am using an ip address 
> in the real script)
> 
> I have found the default policy still denies the remote host connection 
> attempts. I am trying to allow only a couple of hosts to see the server 
> on the network by denying everything to all other PC's.
> 
> I have tried adding "ipchains -A input -p ALL -s 0/0 -j DENY" at the end 
> of the list with a default policy of ACCEPT and still cannot get into 
> the server as well.
> 
> I must be missing something in Rusty's HOWTO because the remote hosts 
> cannot connect to the server after running this either way. I am using 
> ipchains 1.3.9 on RHL6.1.

take the -y off the tcp rule. it's only allowing the connecting packet,
not subsequent packets. at least, that's what it looks like.

raf

[prev in list] [next in list] [prev in thread] [next in thread]