Hi,

Does anyone know how to install & configure IPchains on RaQ servers?? I just want to make sure I know what I'm doing before I setup the IPchains on my RaQ servers. :blush:

This is a compilation of 2 post that descriped how to install Ipchains. This is how i did it, i did not write this just copied it from the original authors (i think most of it is from Shortfork..)

#Install ipchains

cd /usr/local
wget amail.co.uk/ipchains-1.3.10.tar.gz
tar zxvf ipchains-1.3.10.tar.gz
cd ipchains-1.3.10
make clean
make
make install

#now ipchains is installed on your cobalt.
If you log in as admin and su to root and type the following command, which will show you your output from ipchains...


cd /sbin

*IF* you've installed ipchains correctly, that is where the binary should now be located and properly installed.. from the /sbin folder type

ls

you should see ipchains there...

From that folder now type

./ipchains -L -v -n

and you will get the output of what ipchains is filtering or not filtering..

To make a longer story shorter.. take the below script and copy it to pico or whatever editor you use (watch any line breaks, not sure how this message board formats things, I can send it to you as a plain text file if this one does not work)

save this file as chains in /sbin. Now to excuite your ipchains with the below mentioned rules (I've been running them on this server and two others with ZERO problems has not killed GUI in any way) while still in /sbin type

./chains

This will excuite the script... now if you type

./ipchains -L -v -n

you will get the system output of the very restrictive set of rules as set in the script.

I'm assuming you are using the same two nameservers, if not, change the IP addresses that are before the port 53 entries to match your own. This allows you in and out to the NS here at RS..


This is the simplest way to impliment ipchains that I've seen.. It allows access to only the following: port 21 for ftp, 22 for SSH, 81 for SSL, 80 for web service, 53 to ONLY those two addresses that need it, 25 for smtp, 110 for pop and denies all else.. simple and about as safe as we'll get.

You can go further with this script and put it as automatically excuitable during boot but I'd not advise this. Just remember to go in and do it manually whenever you reboot. This way, if something *does* mess it up.. you'll be ok to just reboot and you will flush the rules..

By the way typing

./ipchains -F

will manually flush all the rules so you can type that after you type

./ipchains -L -v -n

./chains

again and see the difference and will know that your ipchains is active and turning away ALL the nasty little port sniffing bastards out there...

If you want this script to excuite from anywhere, as in, if you log in as root.. you can redo it, remove all the ./ entries, save it in your /root folder and simply type

./chains and the same things will happen as above when logged in as admin and su'ing to root..


# TCP
# serve ftp for passive clients _ONLY_
./ipchains -A input -i eth0 -p tcp --destination-port 21 --syn -j ACCEPT -l
# serve ssh - 22
./ipchains -A input -i eth0 -p tcp --destination-port 8777 --syn -j ACCEPT -l
# serve smtp - 25
./ipchains -A input -i eth0 -p tcp --destination-port 25 --syn -j ACCEPT
# serve http - 80
./ipchains -A input -i eth0 -p tcp --destination-port 80 --syn -j ACCEPT
# serve https admin - 81
./ipchains -A input -i eth0 -p tcp --destination-port 81 --syn -j ACCEPT -l
# serve pop3 - 110
./ipchains -A input -i eth0 -p tcp --destination-port 110 --syn -j ACCEPT
# disallow SYN on all else
./ipchains -A input -i eth0 -p tcp --syn -j DENY -l
# allow existing TCP sessions to continue
./ipchains -A input -i eth0 -p tcp -j ACCEPT

# UDP
# DNS response
./ipchains -A input -i eth0 -p udp --source 216.234.161.11 -j ACCEPT
./ipchains -A input -i eth0 -p udp --source 216.234.161.12 -j ACCEPT

# ICMP allowed
./ipchains -A input -i eth0 -p icmp -j ACCEPT

# disallow all else
./ipchains -A input -i eth0 -j DENY -l


chmod 700 chains



This worked perfect for me, but ofcourse try on your own risk.

Goodluck !

Thanks. By the way this may sound stupid, :blush: is it possible to convert a RaQ3 into a software base firewall?? :blush:

Yes, it's possible to turn a raq into a firewall.
You should check Astaro Security Linux (http://www.astaro.com/products/index.html).
This is an excerpt from the infos:

Astaro Security Linux is a new firewall solution.
It does statefull inspection packet filtering,
content filtering, virus scanning, user authentication,
VPN with IPSec, and much much more.
With its Web-based managment tool WebAdmin and the ability
to pull updates via the internet, it is pretty
easy to administrate.
It is based on a special hardened Linux 2.4 distribution
where most daemons are running in change-roots and
are protected by capabilities.


It is distributed as CDROM ISO-9660 Image file and it needs a flash update of the cobalt raq.
You can download it from:
ftp://ftp.astaro.com/pub/cobalt/

Wow :eek2: Thanks...and is free??!!:eek: the download??!!

I don't know if it's free for all uses, for sure for personal use, you have to pay if you want the automatic update and a license for the virus scanner if you want it.

Well I can give it a try... Thanks ;)

:D