Ioan, adica tu nu vrei sa lasi pe oricine sa iasa din reteaua interna pe ssh inspre alte servere? sau nu vrei sa se poata comecta la tine la server pe ssh numai de la anumite ip-uri?
Tuesday, October 14, 2003, 4:46:39 PM, you wrote: IA> Problema este ca nu stiu ip-ul destinatie (ar fi usor). Tot ce as vrea este, IA> ca din router, sa tai clientii de ssh de pe ip-uri .(cand cineva vrea sa IA> faca o conexiune pe un server oarecare de ssh). IA> ----- Original Message ----- IA> From: "Radu" <[EMAIL PROTECTED]> IA> To: <[EMAIL PROTECTED]> IA> Sent: Wednesday, October 15, 2003 2:41 AM IA> Subject: [rlug] Re: ICQ & YM and firewall >> Frate Alin, >> >> Din ce imi aduc aminte, dar nu sunt sigur, trebuie totusi sa verifici. >> Urmatoarele: >> Daca este router: >> iptables -A FORWARD -s <ip pe cine vrei sa arzi> -d <ip-ul >> serverului ssh> -j DROP >> Daca vrei de pe un anume host sa nu permiti iesirea: >> iptables -A OUTPUT -d <ip-ul serverului ssh> -j DROP >> Chestiile de mai sus taie tot traficul catre serverul respectiv. >> >> >> Cu plecaciuni, maestre. >> >> ----- Original Message ----- >> From: "Ioan Alin" <[EMAIL PROTECTED]> >> To: <[EMAIL PROTECTED]> >> Sent: Tuesday, October 14, 2003 7:32 AM >> Subject: [rlug] Re: ICQ & YM and firewall >> >> >> > >> > Pe mie m-ar interesa sa tai si toate iesirile catre un server de ssh >> .(orice >> > port, nu neaparat 22). >> > >> > ----- Original Message ----- >> > From: "Radu" <[EMAIL PROTECTED]> >> > To: <[EMAIL PROTECTED]> >> > Sent: Wednesday, October 15, 2003 2:29 AM >> > Subject: [rlug] Re: ICQ & YM and firewall >> > >> > >> > > Frate, nu este nici o problema. >> > > Ideea este cum s-ar putea face totusi cu nenorocitul ala de yahoo >> > > messenger... ca si pe mine ma streseaza treaba asta. >> > > Si nu am nici prea multe idei... in directia asta... >> > > Poate s-a ocupat cineva totusi... doar de blocarea lui yahoo messenger >> > ...? >> > > >> > > Radu. >> > > ----- Original Message ----- >> > > From: "Knight" <[EMAIL PROTECTED]> >> > > To: "Radu" <[EMAIL PROTECTED]> >> > > Sent: Tuesday, October 14, 2003 8:23 AM >> > > Subject: [rlug] Re: ICQ & YM and firewall >> > > >> > > >> > > > Radu, >> > > > >> > > > cred ca mia culpa >> > > > da de unde dracu am citit eu cu ipchains ca stiu sigur ca asa am IA> citit >> > > > what so ever >> > > > sorry >> > > > >> > > > Wednesday, October 15, 2003, 2:05:25 AM, you wrote: >> > > > >> > > > R> Frate Knight, >> > > > >> > > > R> Ar fi bine sa stai sa te uiti cu atentie la threaduri. IA> Sarmanul >> > om >> > > > R> intrebase pentru iptables. Asa, de chestie doar, uita-te in urma IA> sa >> > > vezi ca >> > > > R> dai putin aiurea cu raspunsurile. Chestia cu deschisul ochilor... >> > este >> > > > R> foarte adevarata. Incepe chiar din primul mail.... >> > > > R> Din ratiuni de documentare... il listez mai jos... sper sa nu >> te >> > > superi >> > > > R> pe mine, dar mi se pare ca scrie iptables. Stiu asta pentru ca am >> > > terminat >> > > > R> clasa I premiant... :)) >> > > > >> > > > R> Sa fi cuminte, >> > > > R> Radu. >> > > > >> > > > >> > > > >> > > >> > >> R>> ------------------------------------------------------------------------- >> > > -- >> > > > R> Salut, >> > > > >> > > > R> Am un script de firewall, facut cu iptables, pe un IA> gateway >> > care >> > > are >> > > > R> ca politica pe chain-ul forward "DROP" si permite userilor IA> din >> > > > R> reteua locala sa se conecteze, in internet, doar la IA> porturile >> > 80, >> > > 25, >> > > > R> 110. >> > > > R> Ideea mea ar fi ca lumea din reteua locala sa nu poata iesi >> > decat >> > > pe >> > > > R> web si pe mail. >> > > > R> Problema apare cand ICQ sau YM foloseste orice port IA> pentru >> a >> > > se >> > > > R> conecta in exterior si se leaga la o multitudine de adrese. >> > Astfel >> > > > R> din reteua locala se poate face chat in voie. >> > > > R> Imi poate spune cineva cum se rezolva beleua asta ? >> > > > >> > > > >> > > > R> -- >> > > > R> Multumesc anticipat, >> > > > R> Liviu mailto:[EMAIL PROTECTED] >> > > > >> > > > >> > > > R> --- >> > > > R> Detalii despre listele noastre de mail: http://www.lug.ro/ >> > > > >> > > >> > >> R>> ------------------------------------------------------------------------ >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > R> ----- Original Message ----- >> > > > R> From: "Knight" <[EMAIL PROTECTED]> >> > > > R> To: "Radu" <[EMAIL PROTECTED]> >> > > > R> Sent: Tuesday, October 14, 2003 7:55 AM >> > > > R> Subject: [rlug] Re: ICQ & YM and firewall >> > > > >> > > > >> > > > >> Radu, >> > > > >> >> > > > >> tu ai citit macar ce am scris? >> > > > >> omu care a postat threadul a cerut help pentru ipchains >> > > > >> asa ca nu sari la mine >> > > > >> chestie de alfabet pe dracu, chestie de urmarit un thread si de >> > > > >> deschis ochii larg :)) >> > > > >> >> > > > >> Wednesday, October 15, 2003, 1:48:55 AM, you wrote: >> > > > >> >> > > > >> R> Mosule, IPTABLES. Nu ipchains. >> > > > >> R> Chestie de alfabet. >> > > > >> R> ----- Original Message ----- >> > > > >> R> From: "Knight" <[EMAIL PROTECTED]> >> > > > >> R> To: "Dekxter X." <[EMAIL PROTECTED]> >> > > > >> R> Sent: Tuesday, October 14, 2003 7:01 AM >> > > > >> R> Subject: [rlug] Re: ICQ & YM and firewall >> > > > >> >> > > > >> >> > > > >> >> Dekxter, >> > > > >> >> >> > > > >> >> da dar omu a specificat ca vrea ipchains >> > > > >> >> :((((((( >> > > > >> >> cu -y cred ca era in ipchains :)) in loc de --syn >> > > > >> >> >> > > > >> >> Monday, October 13, 2003, 6:32:40 PM, you wrote: >> > > > >> >> >> > > > >> >> DX> va trebui sa modifici FORWARD cu: >> > > > >> >> >> > > > >> >> DX> iptables --policy FORWARD DROP >> > > > >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --dport >> > 5 --jump >> > > > R> ACCEPT >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --dport >> > 0 --jump >> > > > R> ACCEPT >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --dport >> > 110 --jump >> > > > R> ACCEPT >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --dport >> > 143 --jump >> > > > R> ACCEPT >> > > > >> >> DX> # aceste 4 reguli sunt pentru acces la orice adresa pentru >> > > > >> >> DX> # mail prin POP3, IMAP, send shi www >> > > > >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 --syn --jump DROP >> > > > >> >> DX> iptables -A FORWARD -s 192.168.0.0/24 --syn --jump DROP >> > > > >> >> DX> # aceste 2 reguli resping orice tentativa de initiere a IA> unei >> > > > R> conectari >> > > > >> >> DX> # in reteaua locala sau de la reteaua locala spre internet >> > > > >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --jump ACCEPT >> > > > >> >> DX> # acesta regula accepta orice alt tip de conexiune tcp >> > > > >> >> >> > > > >> >> >> > > > >> >> >> > > > >> >> DX> # man iptables >> > > > >> >> >> > > > >> >> DX> [!] --syn >> > > > >> >> DX> Only match TCP packets with the SYN bit set and the IA> ACK >> > and >> > > > R> RST >> > > > >> >> DX> bits cleared. Such packets are used to request TCP >> > > connection >> > > > >> >> DX> initiation; for example, blocking such packets coming in IA> an >> > > > R> interface >> > > > >> >> DX> will prevent incoming TCP connections, but outgoing TCP >> > > connections >> > > > >> R> will >> > > > >> >> DX> be unaffected. >> > > > >> >> DX> It is equivalent to --tcp-flags SYN,RST,ACK SYN. If the IA> "!" >> > flag >> > > > >> >> DX> precedes the "--syn", the sense of the option is inverted. >> > > > >> >> >> > > > >> >> DX> ps: daca greshesc va rog sa ma corectatzi ... >> > > > >> >> >> > > > >> >> DX> Liviu wrote: >> > > > >> >> >> > > > >> >> >> Salut, >> > > > >> >> >> Ideea mea ar fi ca lumea din reteua locala sa nu poata >> > iesi >> > > > R> decat >> > > > >> R> pe >> > > > >> >> >> web si pe mail. >> > > > >> >> >> > > > >> >> >> > > > >> >> >> > > > >> >> -- >> > > > >> >> Best regards, >> > > > >> >> Knight >> > > > >> >> >> > > > >> >> This message was brought to you by the numbers 0 and 1. >> > > > >> >> >> > > > >> >> >> > > > >> >> --- >> > > > >> >> Detalii despre listele noastre de mail: http://www.lug.ro/ >> > > > >> >> >> > > > >> >> >> > > > >> >> > > > >> >> > > > >> R> --- >> > > > >> R> Detalii despre listele noastre de mail: http://www.lug.ro/ >> > > > >> >> > > > >> >> > > > >> >> > > > >> -- >> > > > >> Best regards, >> > > > >> Knight >> > > > >> >> > > > >> This message was brought to you by the numbers 0 and 1. >> > > > >> >> > > > >> >> > > > >> --- >> > > > >> Detalii despre listele noastre de mail: http://www.lug.ro/ >> > > > >> >> > > > >> >> > > > >> > > > >> > > > R> --- >> > > > R> Detalii despre listele noastre de mail: http://www.lug.ro/ >> > > > >> > > > >> > > > >> > > > -- >> > > > Best regards, >> > > > Knight >> > > > >> > > > This message was brought to you by the numbers 0 and 1. >> > > > >> > > > >> > > > --- >> > > > Detalii despre listele noastre de mail: http://www.lug.ro/ >> > > > >> > > > >> > > >> > > >> > > --- >> > > Detalii despre listele noastre de mail: http://www.lug.ro/ >> > > >> > >> > >> > --- >> > Detalii despre listele noastre de mail: http://www.lug.ro/ >> > >> > >> >> >> --- >> Detalii despre listele noastre de mail: http://www.lug.ro/ >> IA> --- IA> Detalii despre listele noastre de mail: http://www.lug.ro/ -- Best regards, Knight This message was brought to you by the numbers 0 and 1. --- Detalii despre listele noastre de mail: http://www.lug.ro/
