* [Comm] проблема с iptables
@ 2010-02-12 11:37 Occisor
2010-02-12 11:46 ` Arcady V. Ivanov
0 siblings, 1 reply; 3+ messages in thread
From: Occisor @ 2010-02-12 11:37 UTC (permalink / raw)
To: ALT Linux Community general discussions
[-- Attachment #1: Type: text/plain, Size: 1231 bytes --]
Система ALTLinux 5.0.0 KDE4
Вот кусок из скрипта правил iptables. Цель разрешить форфард только
одному ip-адресу.
Не рабочий вариант:
#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -A FORWARD -s 192.168.7.17 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
в итоге форвард не работает
хотя правило вроде как добавилось:
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.7.18 anywhere
Рабочий вариант:
#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A FORWARD -s 192.168.7.17 -o eth0 -j ACCEPT
iptables -A FORWARD -i ath0 -j DROP
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.7.18 anywhere
DROP all -- anywhere anywhere
В чем причина этого казуса?
[-- Attachment #2: brutalfreak.vcf --]
[-- Type: text/x-vcard, Size: 278 bytes --]
begin:vcard
fn;quoted-printable:=D0=98=D0=BB=D1=8C=D1=8F
n;quoted-printable:;=D0=98=D0=BB=D1=8C=D1=8F
adr:;;;;28;;RF
email;internet:brutalfreak@gmail.com
note;quoted-printable:Jabber: occisor@jabr.ru=0D=0A=
ICQ: 292441788
x-mozilla-html:FALSE
version:2.1
end:vcard
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Comm] проблема с iptables
2010-02-12 11:37 [Comm] проблема с iptables Occisor
@ 2010-02-12 11:46 ` Arcady V. Ivanov
2010-02-12 13:31 ` Occisor
0 siblings, 1 reply; 3+ messages in thread
From: Arcady V. Ivanov @ 2010-02-12 11:46 UTC (permalink / raw)
To: ALT Linux Community general discussions
----- "Occisor" <brutalfreak@gmail.com> пишет:
> Система ALTLinux 5.0.0 KDE4
> Вот кусок из скрипта правил iptables. Цель разрешить форфард только
> одному ip-адресу.
> Не рабочий вариант:
> #!/bin/sh
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -F
> iptables -X
> iptables -P INPUT ACCEPT
> iptables -P FORWARD DROP
> iptables -A FORWARD -s 192.168.7.17 -o eth0 -j ACCEPT
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> в итоге форвард не работает
> хотя правило вроде как добавилось:
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT all -- 192.168.7.18 anywhere
>
Добавьте правило в обратную сторону, где 192.168.7.18 - это destination.
--
С уважением.
Гл. специалист по ИТ ИКИР ДВО РАН.
Аркадий Иванов.
Sincerely yours.
My site http://www.arccomm.ru
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Comm] проблема с iptables
2010-02-12 11:46 ` Arcady V. Ivanov
@ 2010-02-12 13:31 ` Occisor
0 siblings, 0 replies; 3+ messages in thread
From: Occisor @ 2010-02-12 13:31 UTC (permalink / raw)
To: community
[-- Attachment #1: Type: text/plain, Size: 423 bytes --]
On 12.02.2010 20:46, Arcady V. Ivanov wrote:
>> в итоге форвард не работает
>> хотя правило вроде как добавилось:
>> Chain FORWARD (policy DROP)
>> target prot opt source destination
>> ACCEPT all -- 192.168.7.18 anywhere
>>
>
> Добавьте правило в обратную сторону, где 192.168.7.18 - это destination.
>
Спасибо. Добавил iptables -A FORWARD -i eth0 -d 192.168.7.18 -j ACCEPT и
заработало.
[-- Attachment #2: brutalfreak.vcf --]
[-- Type: text/x-vcard, Size: 267 bytes --]
begin:vcard
fn;quoted-printable:=D0=98=D0=BB=D1=8C=D1=8F
n;quoted-printable:;=D0=98=D0=BB=D1=8C=D1=8F
adr:;;;;28;;RF
email;internet:brutalfreak@gmail.com
note;quoted-printable:Jabber: occisor@jabr.ru=0D=0A=
ICQ: 292441788
x-mozilla-html:FALSE
version:2.1
end:vcard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-02-12 13:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-02-12 11:37 [Comm] проблема с iptables Occisor
2010-02-12 11:46 ` Arcady V. Ivanov
2010-02-12 13:31 ` Occisor
ALT Linux Community general discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 community community/ http://lore.altlinux.org/community \
mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com
public-inbox-index community
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.community
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git