[LON-CAPA-dev] ipchains configuration
Martin Siegert
lon-capa-dev@mail.lon-capa.org
Thu, 23 May 2002 10:18:33 -0700
Hi there,
our loncapa server (dalton.chem.sfu.ca) is pounded for more than a week
now by port scans, etc., from one particular ip address.
In order to solve this problem once and for all I like to switch on
ipchains on dalton. Is there a "standard" ipchains configuration file
that works with loncapa?
If not, which ports are needed for loncapa besides 80?
The list I came upwith so far:
ssh: port 22 tcp from everywhere
ntp: port 123 udp from timeservers
http: port 80 tcp from everywhere
dns: port 53 tcp and udp from nameservers
nfs: all ports tcp and udp from nfs servers
anything else?
Thus would the following /etc/sysconfig/ipchains file break anything?
===</etc/sysconfig/ipchains>============================================
:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-A input -s <time.sfu.ca> -d 0/0 123 -p udp -j ACCEPT
-A input -s <name1.sfu.ca> 53 -d 0/0 -p udp -j ACCEPT
-A input -s <name2.sfu.ca> 53 -d 0/0 -p udp -j ACCEPT
-A input -s <nfs.sfu.ca> -d 0/0 -p udp -j ACCEPT
-A input -s <nfs.sfu.ca> -d 0/0 -p tcp -j ACCEPT
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
-A input -s 0/0 -d 0/0 -p udp -j REJECT
=======================================================================
where <time.sfu.ca> is the ip address of time.sfu.ca, <name1.sfu.ca> the
ip address of name1.sfu.ca, etc.
Thanks for the help.
Cheers,
Martin
========================================================================
Martin Siegert
Academic Computing Services phone: (604) 291-4691
Simon Fraser University fax: (604) 291-4242
Burnaby, British Columbia email: siegert@sfu.ca
Canada V5A 1S6
========================================================================