On Fri, Mar 08, 2002 at 08:03:30AM +0200, Rares.Cioban wrote: > Salut, > Cine da o geana pe randurile de mai jos sa imi zica ce am facut aiurea ? In > sensul ca totul e bine si frumos, doar ca din exterior nu ma pot lega pe > porturile 22,80 ... La incarcare nu da absolut nici o eroare. > > #!/bin/sh > # Internal and External Devices > dev_world=eth0 > dev_int=eth1 > # Firewall IP > addr_int=217.10.196.230 > # Internal Net > net_int=192.168.1.0/24 > ################################################################# > # Delete all Rules in Filtertable > iptables -F > ################################################################# > # Define new chains > iptables -N BLOCK > iptables -N EXT-INT > iptables -N INT-EXT > iptables -N ICMP-DENY > iptables -N INT-IF > iptables -N EXT-IF > ################################################################# > iptables -A BLOCK -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A BLOCK -m state --state NEW -i ! $dev_world -j ACCEPT > iptables -A BLOCK -j DROP > iptables -A INPUT -j BLOCK > iptables -A FORWARD -j BLOCK > ################################################################# > # Point to chains > iptables -A INPUT -i lo -j ACCEPT > iptables -A INPUT -i $dev_int -s $net_int -j INT-IF > iptables -A INPUT -d ! $addr_int -i $dev_world -s ! $net_int -j EXT-IF > iptables -A INPUT -j DROP > iptables -A FORWARD -d ! $net_int -i $dev_world -s $net_int -j INT-EXT > iptables -A FORWARD -d $net_int -i $dev_int -s ! $net_int -j EXT-INT > iptables -A FORWARD -j DROP > iptables -A OUTPUT -j ACCEPT > ################################################################# > # Chain Rules > iptables -A EXT-INT -j DROP > iptables -A EXT-IF -i ! $dev_world -j DROP > iptables -A EXT-IF -p tcp --dport 25 -j ACCEPT > iptables -A EXT-IF -p tcp --dport 80 -j ACCEPT > iptables -A EXT-IF -p udp --dport 80 -j ACCEPT > iptables -A EXT-IF -p tcp --dport 22 -j ACCEPT > iptables -A EXT-IF -p udp --dport 22 -j ACCEPT > iptables -A EXT-IF -p tcp --dport 1024: -j ACCEPT > iptables -A EXT-IF -p udp --dport 1024: -j ACCEPT > iptables -A EXT-IF -j DROP
Salut, Pai ultimul entry din chainul EXT-IF asa -j DROP inseamna de fapt drop la orice, si tu trebuie sa deschizi si porturile peste 1020 pentru ca sa faci o conxiune in concluzie in loc sa faci un deny de asta de final asa mai bine definesti default policy ACCEPT (care este by default ACCEPT) si pui o linie de reject de la 0 la 1020 pentru protocoalele tcp si udp. Daca ai creat tu toata chestia asta de mai sus n-are rost sa iti mai scriu exact linia de comanda .. anyway pentru o simpla restrictionare eu cred ca te complici cu chestia de mai sus, dar daca o intelegi atunci e ok .. Teo > iptables -A INT-IF -j ACCEPT > ################################################################ > # NAT Rules > iptables -t nat -A POSTROUTING -s 192.168.1.2 -d ! 193.230.161.3 -o eth0 -j > SNAT --to 213.233.126.49 > ################################################################ > # Enable IP-Forwarding > echo 1 > /proc/sys/net/ipv4/ip_forward > > > Mersi, > > Rares Cioban > --- > Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to > unsubscribe from this list. --- Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to unsubscribe from this list.
