HostedDB - Dedicated UNIX Servers
Securing-Optimizing-RH-Linux-1_2_135
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 135     ipchains -A input  -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l     ipchains -A input  -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l     ipchains -A input  -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l     ipchains -A input  -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l     ipchains -A input  -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l     ipchains -A input  -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l     ipchains -A input  -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l     ipchains -A input  -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l     ipchains -A input  -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l     ipchains -A input  -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l     ipchains -A input  -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l     ipchains -A input  -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l     ipchains -A input  -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l     ipchains -A input  -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l     #217: 11011001    - /5 includes 216 - need 217-219 spelled out     ipchains -A input  -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l     ipchains -A input  -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l     ipchains -A input  -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l     #223: 11011111    - /6 masks 220-223     ipchains -A input  -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l # ---------------------------------------------------------------------------- # ICMP     #    To prevent denial of service attacks based on ICMP bombs, filter     #    incoming Redirect (5) and outgoing Destination Unreachable (3).     #    Note, however, disabling Destination Unreachable (3) is not     #    advisable, as it is used to negotiate packet fragment size.     # For bi-directional ping.     #     Message Types:  Echo_Reply (0),  Echo_Request (8)     #     To prevent attacks, limit the src addresses to your ISP range.     #       # For outgoing traceroute.     #     Message Types:  INCOMING Dest_Unreachable (3), Time_Exceeded (11)     #     default UDP base: 33434 to base+nhops -1     #       # For incoming traceroute.     #     Message Types:  OUTGOING Dest_Unreachable (3), Time_Exceeded (11)     #     To block this, deny OUTGOING 3 and 11     #  0: echo-reply (pong)     #  3: destination-unreachable, port-unreachable, fragmentation-needed, etc.     #  4: source-quench     #  5: redirect     #  8: echo-request (ping)     # 11: time-exceeded     # 12: parameter-problem      ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \              -s $ANYWHERE 0 -d $IPADDR -j ACCEPT       ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \              -s $ANYWHERE 3 -d $IPADDR -j ACCEPT       ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \              -s $ANYWHERE 4 -d $IPADDR -j ACCEPT       ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \              -s $ANYWHERE 11 -d $IPADDR -j ACCEPT       ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \              -s $ANYWHERE 12 -d $IPADDR -j ACCEPT       ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \