From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Real-To: Date: Tue, 16 Sep 2003 19:36:31 +0400 From: Maxim Ivanov To: community@altlinux.ru Subject: Re: [Comm] Iptables Message-Id: <20030916193631.06714500.ivanov@amos.ru> In-Reply-To: <20030916193349.58ccc6fe.ivanov@amos.ru> References: <20030916193349.58ccc6fe.ivanov@amos.ru> Organization: AMOS X-Mailer: Sylpheed version 0.8.8 (GTK+ 1.2.10; i586-alt-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Multipart_Tue__16_Sep_2003_19:36:31_+0400_0833fe08" X-BeenThere: community@altlinux.ru X-Mailman-Version: 2.1.2 Precedence: list Reply-To: community@altlinux.ru List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 15:36:21 -0000 Archived-At: List-Archive: List-Post: This is a multi-part message in MIME format. --Multipart_Tue__16_Sep_2003_19:36:31_+0400_0833fe08 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit Забыл файлик положить... On Tue, 16 Sep 2003 19:33:49 +0400 Maxim Ivanov wrote: > Подскажите пожалуйста, поставил Squid с авторизацией, > сверху повесил IPtables (вывод iptables -L в файле) > заметил эксклюзивную картину: мы теперь пароля не спрашиваем, мы > просто работаем в Инете.... > Как это получается - не понятно. Похоже, пакеты идут мимо сквида прямо > на 80-й порт (их слушают на 3128). Но у меня явно не написано правило > их перебрасывать. > > Вопрос такой: каковы минимально допустимые настройки защиты машины, на > которой работает прокси с авторизацией (не прозрачной)? > Уверен, что есть что-то похожее на "все запретить, разрешить вход по > 3128 TCP и выход после работы локального процесса по 80". > Это реально? > > > _______________________________________________ > Community mailing list > Community@altlinux.ru > http://www.altlinux.ru/mailman/listinfo/community > > > --Multipart_Tue__16_Sep_2003_19:36:31_+0400_0833fe08 Content-Type: text/plain; name="iptab.txt" Content-Disposition: attachment; filename="iptab.txt" Content-Transfer-Encoding: 7bit Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere bad_packets all -- anywhere anywhere DROP all -- anywhere ALL-SYSTEMS.MCAST.NET ACCEPT all -- 192.168.1.0/24 anywhere ACCEPT all -- anywhere 192.168.1.255 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED tcp_inbound tcp -- anywhere anywhere udp_inbound udp -- anywhere anywhere icmp_packets icmp -- anywhere anywhere DROP all -- anywhere 255.255.255.255 LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level warning prefix `INPUT packet died: ' Chain FORWARD (policy DROP) target prot opt source destination bad_packets all -- anywhere anywhere tcp_outbound tcp -- anywhere anywhere udp_outbound udp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level warning prefix `FORWARD packet died: ' Chain OUTPUT (policy DROP) target prot opt source destination DROP icmp -- anywhere anywhere state INVALID ACCEPT all -- localhost.localdomain anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- Administrator.server2000.amos anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level warning prefix `OUTPUT packet died: ' Chain bad_packets (2 references) target prot opt source destination LOG all -- anywhere anywhere state INVALID LOG level warning prefix `Invalid packet: ' DROP all -- anywhere anywhere state INVALID bad_tcp_packets tcp -- anywhere anywhere RETURN all -- anywhere anywhere Chain bad_tcp_packets (1 references) target prot opt source destination RETURN tcp -- anywhere anywhere LOG tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW LOG level warning prefix `New not syn: ' DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW RETURN tcp -- anywhere anywhere Chain icmp_packets (1 references) target prot opt source destination LOG icmp -f anywhere anywhere LOG level warning prefix `ICMP Fragment: ' DROP icmp -f anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp time-exceeded RETURN icmp -- anywhere anywhere Chain tcp_inbound (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:webcache ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data ACCEPT tcp -- anywhere anywhere tcp dpts:62000:64000 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpts:5000:5100 ACCEPT tcp -- anywhere anywhere tcp dpt:squid RETURN tcp -- anywhere anywhere Chain tcp_outbound (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:http REJECT tcp -- anywhere anywhere tcp dpt:irc reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:telnet reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:nntp reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:4443 reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:1863 reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:pop3 reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:imap reject-with icmp-port-unreachable ACCEPT tcp -- anywhere anywhere Chain udp_inbound (1 references) target prot opt source destination DROP udp -- anywhere anywhere udp dpt:netbios-ns DROP udp -- anywhere anywhere udp dpt:netbios-dgm ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:3128 RETURN udp -- anywhere anywhere Chain udp_outbound (1 references) target prot opt source destination REJECT udp -- anywhere anywhere udp dpt:4000 reject-with icmp-port-unreachable ACCEPT udp -- anywhere anywhere --Multipart_Tue__16_Sep_2003_19:36:31_+0400_0833fe08--