Cam asta ar fi solutia? for s in ${GRUP2} do iptables -t nat -A PREROUTING -i eth1 -p tcp --match multiport --dports 80,21 -s ${s} -d ! ${RETEALOCALA} -j DNAT --to 192.168.0.254:8080 iptables -t nat -A POSTROUTING -o ${INTERNET} -s ${s} --match multiport --dports 25,53,110,443 -j SNAT --to-source ${NAT} done
2013/10/22 manuel "lonely wolf" wolfshant <wo...@prolinux.ro> > On 10/21/2013 11:43 PM, Laurentiu STEFAN wrote: > > Am 2 grupuri de IP-uri care unu teoretic ar trebui sa iasa liber si al > > II-lea sa treaca prin proxy- > > > > Am: > > > > for s in ${GRUP2} > > do > > iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -s > ${s} -d > > ! ${RETEALOCALA} -j DNAT --to 192.168.0.254:8080 > > iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -s > ${s} -d > > ! ${RETEALOCALA} -j DNAT --to 192.168.0.254:8080 > > done > > > > for s in ${GRUP1} > > do > > iptables -t nat -A POSTROUTING -o ${INTERNET} -s ${s} -j SNAT > > --to-source ${NAT} > > done > > > > Problema e ca cei din grupul 2 sa aiba acces si la restul serviciilor > > externe (dns, pop, etc) > > Am incercat sa pun iptables -t nat -A POSTROUTING -o ${INTERNET} -s ${s} > -j > > SNAT --to-source ${NAT} si in grupul2 dar nu mai trece prin proxy. > adauga orice alte porturi vrei sa lasi la liber. sau pune intii o regula > cu "! --dport NNN" -j ACCEPT si apoi abia una de redirectionare > hint aditional: nu ai nevoie de reguli separate per port, -m multiport e > exact destinat acestor cazuri > > > > > > > > In alta ordine de idei, > > Daca in grupul 2 adaug: > > iptables -A FORWARD -p tcp -s ${s} --match multiport --dports 80,443,21 > -m > > string --string '.exe' --algo bm -j DROP > > le va interzice descarcarea de fisiere .exe ? > forteaza trecerea prin un proxy ( squid.. ) si blocheaza de acolo cu > ACL-uri. E mult mai fiabil decit string match in iptables. > > > > > > Multam anticipat > > > > > -- > Manuel Wolfshant linux registered user #131416 > IT manager NoBug Consulting SRL > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > _______________________________________________ > RLUG mailing list > RLUG@lists.lug.ro > http://lists.lug.ro/mailman/listinfo/rlug > _______________________________________________ RLUG mailing list RLUG@lists.lug.ro http://lists.lug.ro/mailman/listinfo/rlug