[LON-CAPA-dev] ipchains configuration

Martin Siegert lon-capa-dev@mail.lon-capa.org
Thu, 23 May 2002 10:18:33 -0700

Hi there,

our loncapa server (dalton.chem.sfu.ca) is pounded for more than a week
now by port scans, etc., from one particular ip address.
In order to solve this problem once and for all I like to switch on
ipchains on dalton. Is there a "standard" ipchains configuration file
that works with loncapa?
If not, which ports are needed for loncapa besides 80?

The list I came upwith so far:

ssh: port 22 tcp from everywhere
ntp: port 123 udp from timeservers
http: port 80 tcp from everywhere
dns: port 53 tcp and udp from nameservers
nfs: all ports tcp and udp from nfs servers

anything else?

Thus would the following /etc/sysconfig/ipchains file break anything?

:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-A input -s <time.sfu.ca> -d 0/0 123 -p udp -j ACCEPT
-A input -s <name1.sfu.ca> 53 -d 0/0 -p udp -j ACCEPT
-A input -s <name2.sfu.ca> 53 -d 0/0 -p udp -j ACCEPT
-A input -s <nfs.sfu.ca> -d 0/0 -p udp -j ACCEPT
-A input -s <nfs.sfu.ca> -d 0/0 -p tcp -j ACCEPT
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
-A input -s 0/0 -d 0/0 -p udp -j REJECT

where <time.sfu.ca> is the ip address of time.sfu.ca, <name1.sfu.ca> the
ip address of name1.sfu.ca, etc.

Thanks for the help.


Martin Siegert
Academic Computing Services                        phone: (604) 291-4691
Simon Fraser University                            fax:   (604) 291-4242
Burnaby, British Columbia                          email: siegert@sfu.ca
Canada  V5A 1S6