am zis nu mai merge pt ca....el toate conexiunile pe
care le primeste in afara de ssh le trimite pe alt ip:
192.168.0.2, iar acum nici asta nu mai face...cel
putin cu portul 80 de ex. deci ma gandesc ca e o
chestie generala care nu merge, nu neaparat ftp-ul...
ai mai jos cum arata fw ...cat o fi de bun si nu am
reusit sa-l vac varza in totalitate.... :)
#!/bin/sh
#INITIALIZARE:
modprobe eepro100
modprobe 8139too
domainname
hostname
ifconfig lo 127.0.0.1 netmask 255.0.0.0 up
route del -net 127.0.0.0 netmask 255.0.0.0 2>/dev/null
route add -net 127.0.0.0 netmask 255.0.0.0 lo
ifconfig eth0 212.xxx.xxx.xxx netmask 255.255.255.0 up
route del default
route add default gw 212.xxx.xxx.xxx
ifconfig eth1 192.168.0.1 netmask 255.255.0.0 up
iptables -F
iptables -t nat -F
# EXCEPTII: ce se poate
iptables -A INPUT -s ip_care_are_voie -p all -j ACCEPT
iptables -A FORWARD -s ip_care_are_voie -d 0/0 -p all
-j ACCEPT
# EXCEPTII: alina are voie afara(ip disponibil)
iptables -A FORWARD -s alina -p all -d 0/0 -j ACCEPT
iptables -A FORWARD -s 192.168.1.1 -p all -d 0/0 -j
ACCEPT
iptables -A FORWARD -s 192.168.1.2 -p all -d 0/0 -j
ACCEPT
# EXCEPTII: dns-uri
iptables -A FORWARD -s 192.168.0.0/16 -d 10.0.100.1 -j
ACCEPT
iptables -A FORWARD -s 192.168.0.0/16 -d dns1 -j
ACCEPT
iptables -A FORWARD -s 192.168.0.0/16 -d dns2 -j
ACCEPT
iptables -A FORWARD -s 192.168.0.0/16 -d dns3 -j
ACCEPT
# EXCEPTII: upgrade
iptables -A FORWARD -s 192.168.0.0/16 -d
93.226.189.169 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/16 -d
93.226.189.170 -j ACCEPT
# FIREWALL GENERAL:
iptables -A INPUT -s ! 192.168.0.0/16 -i eth1 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -i eth0 -j DROP
iptables -A INPUT -s 172.16.0.0/20 -i eth0 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
iptables -A INPUT -s 0/0 -i eth0 -p tcp --dport 22 -j
DROP
iptables -A INPUT -s 0/0 -i eth0 -p tcp --dport 2222
-j DROP
# FIREWALL SPECIFIC: surse catre http
# FIREWALL SPECIFIC: destinatii
# RUTARE:
iptables -A POSTROUTING -t nat -s 192.168.0.0/16 -p
all -d 0/0 -j \
SNAT --to-source 212.146.108.75
echo "1">/proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -i eth0
--destination-port 2222 \
-j DNAT --to-destination 192.168.0.2:22
iptables -t nat -A PREROUTING -p tcp -i eth0
--destination-port 25 \
-j DNAT --to-destination 192.168.0.2:25
iptables -t nat -A PREROUTING -p tcp -i eth0
--destination-port 993 \
-j DNAT --to-destination 192.168.0.2:993
iptables -t nat -A PREROUTING -p tcp -i eth0
--destination-port 80 \
-j DNAT --to-destination 192.168.0.2:80
iptables -t nat -A PREROUTING -p tcp -i eth0
--destination-port 443 \
-j DNAT --to-destination 192.168.0.2:443
iptables -t nat -A PREROUTING -p tcp -i eth0
--destination-port 21 \
-j DNAT --to-destination 192.168.0.2:21
iptables -t nat -A PREROUTING -p tcp -i eth0
--destination-port 20 \
-j DNAT --to-destination 192.168.0.2:20
iptables -t nat -A PREROUTING -p tcp -i eth0
--destination-port 25 \
-j DNAT --to-destination 192.168.0.2:25
# SERVICII:
killall -9 sshd
/usr/sbin/sshd
killall rsyslogd
rsyslogd
> -pt ftp, nu ai nevoie de port forward pe portul ci
> de connection
> > tracking (inclusiv cu grija sa se incarce modulele
> care tin de ftp,
> > precum ip_conntrack_ftp
>
> sed -e "s/portul/portul 20;s/ftp$/ftp)"
- ? pe 192.168.0.2 am un vsftpd care ruleaza
ok...local si din lan ma pot conecta pe el, transfer
de fis, etc.. nu e suficient ca fw cand vede conexiune
pe port 21 sa il trimita pe acelasi port dar la alta
sursa??
- unde gresesc?? ar trebui sa fie un drop inainte si
sa nu permit conexiuni din afara pe 80, 21........ nu?
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam
protection around
http://mail.yahoo.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
