#############################################################
# Searchable Keywords: ipchains firewall iptables


-------- Older not used very often ipchains firewalling ------------
ipchains- L
ipchains -L
ipchains -A Z-rules -j ACCEPT -p tcp --dport 8080
ipchains -L
netstat -an |more
ipchains -L
ipchains -D Z-rules 2
ipchains -L
ipchains -A Z-rules -j ACCEPT -p tcp --dport 8088
ipchains -L
ipchains -A Z-rules -j DROP -p tcp --dport 111
ipchains -A Z-rules -j REJECT -p tcp --dport 111
ipchains -A Z-rules -j REJECT -p tcp --dport 678
ipchains -A Z-rules -j REJECT -p tcp --dport 683
ipchains -A Z-rules -j REJECT -p tcp --dport 945
ipchains -A Z-rules -j REJECT -p tcp --dport 1024
ipchains -L
ipchains -P input REJECT
ipchains -L

	Similar to iptables in fact the fore runner
	I believe you use ipfwadm in conjunction with
	ipchains.

		-- Results look like below --
# ipchains -L
Chain input (policy REJECT):
target     prot opt     source                destination           ports
Z-rules    all  ------  anywhere             anywhere              n/a
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
Chain Z-rules (1 references):
target     prot opt     source                destination           ports
ACCEPT     tcp  ------  anywhere             anywhere              any ->   ssh
ACCEPT     tcp  ------  anywhere             anywhere              any ->   8088REJECT     tcp  ------  anywhere             anywhere              any ->   sunrpc
REJECT     tcp  ------  anywhere             anywhere              any ->   678
REJECT     tcp  ------  anywhere             anywhere              any ->   683
REJECT     tcp  ------  anywhere             anywhere              any ->   945
REJECT     tcp  ------  anywhere             anywhere              any ->   1024

#---------------- Linux iptables rules/commands ---------------------#


#iptables -L >/etc/iptables_rules
IPTABLES rules that only allow port 22,443,8080 in but reject icmp(ping)

 more /etc/iptables_rules
# Generated by iptables-save v1.2.11 on Tue Aug 14 14:08:03 2007
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:70]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Aug 14 14:08:03 2007

Display running rule set:
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:webcache
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Reloading or reinstalling iptables rule set:
If you edit the iptqables_rules file you created by redirecting
iptables -L to iptables_rules file. You can reload the newly edited 
rules file with the following command.

# iptables-restore /etc/iptables_rules

#---------------------- Commands -------------------------------#

iptables -L  <------------- List existing chains/targets/protocols.....



iptables -A <chain name> -j DROP -s 172.23.18.20 <----- append to <chain name>
                                                drop packets of source 172.23..
                                                well, maybe not............

 iptables -A OUTPUT -j REJECT -s 172.23.18.20 -d 172.23.12.50

iptables -F <chain name> <---------- Flush chain rules by number or on by one

		-------------------------------

Create a new chain,DMZ-rules, drop packets coming in and going out
port 63. Allow ssh(port 22) inbound as well as www(port 80). The last
thing done is make the default policy "DROP", so allow what is listed
but drop everything else.


 iptables -N DMZ-rules
 iptables -A DMZ-rules -j DROP -p tcp --dport 63
 iptables -A DMZ-rules -j ACCEPT -p tcp --dport 22
 iptables -A DMZ-rules -j ACCEPT -p tcp --dport 80

iptables -A INPUT -j DMZ-rules
iptables -A OUTPUT -j DMZ-rules
iptables -A FORWARD -j DMZ-rules

============== THE LAST THING YOU DO ! ! ===============
if you do this BEFORE the above...you better
be on the console. Otherwise you just locked yourself out

 iptables -P INPUT DROP

===========================================================
		Add icmp to/from host
		this will allow icmp of any kind
iptables -A DMZ-rules -p icmp -j ACCEPT

	Delete the same rule(it happens to be 
	rule #4. Find the rule number using iptables -L)
iptables -D DMZ-rules 4

	Allow icmp echo requests
iptables -A DMZ-rules -p icmp --icmp-type echo-request -j ACCEPT
			or
	Allow icmp echo requests but NOT host redirect
iptables -A DMZ-rules -p icmp --icmp-type ! host-redirect -j ACCEPT





See also Intel_Linux_notes/iptables