ang INTERFACE ay para lamang ma prevent ang "spoofing" sa mga interfaces
ko, tignan mo tong fragment na ito:
for x in ${INTERFACES}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done
maliban dun ay wala na..
ang mahalaga dito ay ang UPLINK=ppp0.
hindi ko pwedeng ituro sa eth0 dahil hindi makakalabas ang mga
workstations ko.
On Wed, 2004-01-14 at 17:38, Mike S. Lacanilao wrote:
> yo sir lampits, kita ko fw script mo at parang di mo ginagamit ang
> INTERFACE mo sa forwarding rules, im not 100% sure about this, at least
> try mo kaya mag-forward ng packets sa "eth0" mo na kung saan dumadaan
> ang mga workstations mo:
> ex:
> iptables -A FORWARD -i $UPLINK -o $INTERFACE[1] -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i $INTERFACE[1] -o $UPLINK -j ACCEPT
>
> regards,
> mike
>
> lito lampitoc wrote:
>
> >Hi All,
> >
> >meron akong RH9 box na konektado sa myDSL at ito ay nagsisilbing gateway
> >para sa internet access ng aking mga workstations. Ito ay gumagamit
> >lamang ng iptables para mag masquerade. Ang nakapagtataka, hindi
> >makapagpadala ang mga workstations ng e-mail at nagtatimeout ito.
> >Gayundin kung i-piping ko ang internet, bahagya lamang siyang sumasagot
> >at sa kalaunan ay nata-timeout din. Tinignan ko ang firewall rules ko,
> >ngunit wala naman akong makitang problema, eto ang nilalaman ng aking
> >firewall script:
> >-------
> > #!/bin/bash
> >
> >
> >
> > UPLINK="ppp0"
> >
> >
> >
> > ROUTER="yes"
> >
> >
> >
> > NAT="dynamic"
> >
> > INTERFACES="lo eth0"
> >
> >SERVICES="sshd"
> >
> > if [ "$1" = "start" ]
> >then
> > echo "Starting firewall..."
> > iptables -P INPUT DROP
> > iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> > for x in
> > ${SERVICES}
> > do
> >iptables -A INPUT -p tcp --syn --dport ${x} -m state --state NEW -j
> >ACCEPT
> > done
> >
> > iptables -A INPUT
> > -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
> > iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with
> >icmp-port-unreachable
> >
> > if [ -e
> > /proc/sys/net/ipv4/tcp_ecn ]
> > then
> > echo 0 > /proc/sys/net/ipv4/tcp_ecn
> > fi
> >
> > for x in
> > ${INTERFACES}
> >do
> > echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
> > done
> >
> > if [ "$ROUTER" = "yes" ]
> > then
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> > if [ "$NAT" = "dynamic" ]
> > then
> > echo "Enabling masquerading (dynamic ip)..."
> > iptables -t nat -A POSTROUTING -s 192.168.0.0/24
> >-o ${UPLINK} -j MASQUERADE
> > elif [ "$NAT" != "" ]
> > then
> >
> > echo "Enabling SNAT (static ip)..."
> > iptables -t nat -A POSTROUTING -o ${UPLINK} -j
> >SNAT --to ${NAT}
> > fi
> > fi
> >elif [ "$1" = "stop" ]
> >then
> > echo "Stopping firewall..."
> > iptables -F INPUT
> > iptables -P INPUT ACCEPT
> > #turn off NAT/masquerading, if any
> > iptables -t nat -F POSTROUTING
> >fi
> >
> >
> >----------
> >
> >Ano sa palagay ninyo ang sanhi?
> >
> >Salamat.
> >
> >--
> >Philippine Linux Users' Group (PLUG) Mailing List
> >[EMAIL PROTECTED] (#PLUG @ irc.free.net.ph)
> >Official Website: http://plug.linux.org.ph
> >Searchable Archives: http://marc.free.net.ph
> >.
> >To leave, go to http://lists.q-linux.com/mailman/listinfo/plug
> >.
> >Are you a Linux newbie? To join the newbie list, go to
> >http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
> >
> >
> >
> >
>
>
> --
> Philippine Linux Users' Group (PLUG) Mailing List
> [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph)
> Official Website: http://plug.linux.org.ph
> Searchable Archives: http://marc.free.net.ph
> .
> To leave, go to http://lists.q-linux.com/mailman/listinfo/plug
> .
> Are you a Linux newbie? To join the newbie list, go to
> http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
>
--
Philippine Linux Users' Group (PLUG) Mailing List
[EMAIL PROTECTED] (#PLUG @ irc.free.net.ph)
Official Website: http://plug.linux.org.ph
Searchable Archives: http://marc.free.net.ph
.
To leave, go to http://lists.q-linux.com/mailman/listinfo/plug
.
Are you a Linux newbie? To join the newbie list, go to
http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
