# Sample /etc/ipchains.conf script # by Eric von Bayer (Feb 2000) # Local Network group g-local { entry ACCEPT; } # Outside Network group g-net { entry g-ban; entry g-lan; entry g-trust; entry g-gen; } # Banned Networks group g-ban { } # Banned Network Actions group a-ban { entry DENY; } # Local Area Network group g-lan { # Local Network (reserved via RFC1597) entry a-lan -s 192.168.0.0/255.255.0.0; # Work Computer entry a-lan -s some.computer.mydomain.org; } # Local Area Network Actions group a-lan { entry ACCEPT; } # Trusted Networks group g-trust { # Network 1 entry a-trust -s 172.16.1.0/255.255.255.0; # Network 2 entry a-trust -s 172.16.23.0/255.255.255.0; # A couple trusted servers entry a-trust -s 172.16.42.42; entry a-trust -s 10.162.45.1; } # Trusted Network Actions group a-trust { entry REJECT -d 0/0 linuxconf -p tcp; entry REJECT -d 0/0 swat -p tcp; entry ACCEPT; } # General Public group g-gen { entry a-gen; } # General Public Actions group a-gen { entry ACCEPT -p icmp; entry ACCEPT -d 0/0 ftp -p tcp; entry ACCEPT -d 0/0 ftp-data -p tcp; entry REJECT -d 0/0 cfinger -p tcp; entry ACCEPT -d 0/0 1024: -p udp; entry ACCEPT -d 0/0 1024: -p tcp; entry ACCEPT -d 0/0 telnet -p tcp; entry ACCEPT -d 0/0 smtp -p tcp; entry ACCEPT -d 0/0 time -p tcp; entry ACCEPT -d 0/0 time -p udp; entry ACCEPT -d 0/0 domain -p udp; entry ACCEPT -d 0/0 domain -p tcp; entry ACCEPT -d 0/0 nameserver -p tcp; entry ACCEPT -d 0/0 www -p tcp; entry ACCEPT -d 0/0 www -p udp; entry ACCEPT -d 0/0 https -p tcp; entry ACCEPT -d 0/0 https -p udp; entry ACCEPT -d 0/0 kerberos -p tcp; entry ACCEPT -d 0/0 kerberos -p udp; entry REJECT; } # NOTE: Keep the top level rules here so we don't # accidentally reject any packets we shouldn't in case # of error, etc... # Incoming Packets group input { entry g-local -i ! eth0; entry g-net -i eth0; entry REJECT; } # Incoming Packets to Forward group forward { entry ACCEPT; } # Outgoing Packets group output { # Rules to set the priority of the outgoing packets option MinDelay -d 0/0 telnet -p tcp; option MinDelay -d 0/0 ftp -p tcp; option MaxThrough -s 0/0 ftp-data -p tcp; # option MaxRely -d 0/0 snmp -p tcp; option MinCost -d 0/0 nntp -p tcp; entry ACCEPT; }