Hello Knight,
Monday, October 13, 2003, 4:40:03 PM, you wrote:
#iptables -L ipac_in
Chain ipac_in (2 references)
target prot opt source destination
all -- anywhere 192.168.0.17
all -- anywhere 192.168.0.15
all -- anywhere 192.168.0.13
all -- anywhere 192.168.0.11
all -- anywhere 192.168.0.12
all -- anywhere 192.168.0.27
all -- anywhere 192.168.0.20
all -- anywhere 192.168.0.111
all -- anywhere localnet/24
Chain ipac_out (2 references)
target prot opt source destination
all -- 192.168.0.17 anywhere
all -- 192.168.0.15 anywhere
all -- 192.168.0.13 anywhere
all -- 192.168.0.11 anywhere
all -- 192.168.0.12 anywhere
all -- 192.168.0.27 anywhere
all -- 192.168.0.20 anywhere
all -- 192.168.0.111 anywhere
all -- localnet/24 anywhere
#iptables -L ipac_out
sunt doar doua chain-uri pentru ipaccounting. nu au target-uri asa ca
packetele un trec pe acolo.
Problema e ca ym-ul si icq-ul folosesc orice port pentru a iesi ...
ym-ul cauta singur un port deschis iar icq-ul poate fi configurat.
K> Liviu,
K> imi trebuie sa imi dau seama de ce iti mai merge yahoo messenger si
K> icq dupa ce ai taiat restu porturilor
K> ce-i cu ipac_in si ipac_out?!!? cred ca alea is de vina
K> da outputu de la alea daca e legat de reteaua locala
K> adica:
K> ipchains -L ipac_in
K> ipchains -L ipac_out
K> si inca o chestie in loc de atatea reguli acolo puteai sa pui asa:
K> ipchains -A FORWARD -s 192.168.0.0/24 -d 0/0 80 -j ACCEPT
K> ipchains -A FORWARD -s 192.168.0.0/24 -d 0/0 25 -j ACCEPT
K> ipchains -A FORWARD -s 192.168.0.0/24 -d 0/0 110 -j ACCEPT
K> ipchains -A FORWARD -s 192.168.0.0/24 -d 0/0 443 -j ACCEPT
K> incearca chestia asta:
ipchains-save >>/fisier_salvere_ipchains
K> ipchains -F FORWARD
K> ipchains -A FORWARD -s 192.168.0.0/24 -d 0/0 80 -j ACCEPT
K> ipchains -A FORWARD -s 192.168.0.0/24 -d 0/0 25 -j ACCEPT
K> ipchains -A FORWARD -s 192.168.0.0/24 -d 0/0 110 -j ACCEPT
K> ipchains -A FORWARD -s 192.168.0.0/24 -d 0/0 443 -j ACCEPT
K> si vezi daca iti mai merge doar cu regulile astea 4 icq si yahoo
K> s-ar putea sa nu mai mearga nici www :<
K> zi-mi daca iti merge
K> Monday, October 13, 2003, 4:15:49 PM, you wrote:
L>> Hello Knight,
L>> Monday, October 13, 2003, 4:10:09 PM, you wrote:
K>>> Liviu,
K>>> da un output la chestia asta
K>>> ipchains -nL
K>>> daca nu merge asa incerca doar
K>>> ipchains -L
L>> Chain FORWARD (policy DROP)
L>> target prot opt source destination
L>> ipac_in all -- anywhere anywhere
L>> ipac_out all -- anywhere anywhere
L>> ACCEPT tcp -- anywhere anywhere state
RELATED,ESTABLISHED
L>> ACCEPT tcp -- 192.168.0.11 anywhere tcp dpt:www
L>> ACCEPT tcp -- 192.168.0.15 anywhere tcp dpt:www
L>> ACCEPT tcp -- 192.168.0.17 anywhere tcp dpt:www
L>> ACCEPT tcp -- 192.168.0.17 anywhere tcp dpt:smtp
L>> ACCEPT tcp -- 192.168.0.17 anywhere tcp dpt:pop3
L>> ACCEPT tcp -- 192.168.0.13 anywhere tcp dpt:www
L>> ACCEPT tcp -- 192.168.0.15 anywhere tcp dpt:smtp
L>> ACCEPT tcp -- 192.168.0.15 anywhere tcp dpt:pop3
L>> Da' la ce iti trebuie ?
K>>> da cat poti de repede, ca lumea se pregateste sa plece de la servici
K>>> deja :)
K>>> Monday, October 13, 2003, 3:51:19 PM, you wrote:
L>>>> Salut,
L>>>> Am un script de firewall, facut cu iptables, pe un gateway care are
L>>>> ca politica pe chain-ul forward "DROP" si permite userilor din
L>>>> reteua locala sa se conecteze, in internet, doar la porturile 80, 25, 110.
L>>>> Ideea mea ar fi ca lumea din reteua locala sa nu poata iesi decat pe
L>>>> web si pe mail.
L>>>> Problema apare cand ICQ sau YM foloseste orice port pentru a se
L>>>> conecta in exterior si se leaga la o multitudine de adrese. Astfel
L>>>> din reteua locala se poate face chat in voie.
L>>>> Imi poate spune cineva cum se rezolva beleua asta ?
L>>>> Ca deja cand i-am spus sefului ca mai dureaza pana o fac a inceput
L>>>> sa ma banuiasca de colaborare cu chatistii din firma.
--
Best regards,
Liviu mailto:[EMAIL PROTECTED]
---
Detalii despre listele noastre de mail: http://www.lug.ro/
