From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mike@fly.osdn.org.ua>
Date: Fri, 28 May 2004 12:58:55 +0300
From: Michael Shigorin <mike@osdn.org.ua>
To: community@altlinux.ru
Message-ID: <20040528095855.GJ9051@osdn.org.ua>
Mail-Followup-To: community@altlinux.ru
References: <662062212.20040527153228@eip.ru>
	<m3hdu1ou6e.fsf@mrkooll.tdr.pibhe.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="sfyO1m2EN8ZOtJL6"
Content-Disposition: inline
In-Reply-To: <m3hdu1ou6e.fsf@mrkooll.tdr.pibhe.com>
User-Agent: Mutt/1.4.2.1i
Subject: [Comm] Re:
	=?koi8-r?b?68HLINDF0sXawdDV09TJ1NggSVBUQUJMRVMgwsXaINDF0sXa?=
	=?koi8-r?b?LiDLz83QwT8=?=
X-BeenThere: community@altlinux.ru
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: community@altlinux.ru
List-Id: Mailing list for ALT Linux users <community.altlinux.ru>
List-Unsubscribe: <https://lists.altlinux.ru/mailman/listinfo/community>,
	<mailto:community-request@altlinux.ru?subject=unsubscribe>
List-Archive: <http://lists.altlinux.ru/pipermail/community>
List-Post: <mailto:community@altlinux.ru>
List-Help: <mailto:community-request@altlinux.ru?subject=help>
List-Subscribe: <https://lists.altlinux.ru/mailman/listinfo/community>,
	<mailto:community-request@altlinux.ru?subject=subscribe>
X-List-Received-Date: Fri, 28 May 2004 09:58:57 -0000
Archived-At: <http://lore.altlinux.org/community/20040528095855.GJ9051@osdn.org.ua/>
List-Archive: <http://lore.altlinux.org/community/>
List-Post: <mailto:mandrake-russian@linuxteam.iplabs.ru>


--sfyO1m2EN8ZOtJL6
Content-Type: multipart/mixed; boundary="d01dLTUuW90fS44H"
Content-Disposition: inline


--d01dLTUuW90fS44H
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, May 28, 2004 at 11:03:05AM +0300, Maxim Tyurin wrote:
> > =F0=CF=C4=D3=CB=C1=D6=C9=D4=C5, =CB=C1=CB =D0=D2=C1=D7=C9=CC=D8=CE=CF =
=D0=C5=D2=C5=DA=C1=D0=D5=D3=D4=C9=D4=D8 iptables?
> > =F0=C9=DB=D5 =D3=D7=CF=C9 =D0=D2=C1=D7=C9=CC=C1 =D7 =C6=C1=CA=CC /etc/s=
ysconfig/iptables
> =F4=D5=C4=C1 =CE=C5=CC=D8=DA=D1 =D0=C9=D3=C1=D4=D8 (=D4=CF=DE=CE=C5=C5 =
=CF=DE=C5=CE=D8 =CE=C5 =D2=C5=CB=CF=CD=C5=CE=C4=D5=C5=D4=D3=D1).

=E4=C1 =CE=D5.  =F2=C1=DA=CD=CE=CF=D6=C1=D4=D8 =CC=C0=C2=C9=CD=D9=C5 =DB=C1=
=C2=CC=CF=CE=D9 -- =CC=C0=C2=C9=CD=CF=C5 =D6=C5 =C4=C5=CC=CF :)

=E4=CC=D1 =C1=D2=C8=C9=D7=C1 -- =C3=C5=D0=CC=D1=C0 =D4=C1=CB=CF=D7=D5=C0 =
=C4=CC=D1 eth0->10.0.1.0/24, eth1->=CE=C1=D2=D5=D6=D5
(=D7 DSL-=CD=CF=C4=C5=CD, =CE=C1=D0=D2=C9=CD=C5=D2) =D3 =CE=C5=D3=CB=CF=CC=
=D8=CB=C9=CD=C9 =D5=C4=CF=C2=CE=D9=CD=C9 =C8=D5=CB=C1=CD=C9 =C9 =CB=D5=D3=
=CF=DE=CB=C1=CD=C9.

> =F4=D5=C4=C1 =D0=C9=DB=C5=D4/=DE=C9=D4=C1=C5=D4 iptables

iptables-{save,restore}, =D4=CF=DE=CE=C5=C5.

--=20
 ---- WBR, Michael Shigorin <mike@altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/

--d01dLTUuW90fS44H
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=iptables

# Generated by iptables-save v1.2.6a on Thu Nov 21 21:15:39 2002
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d _REAL_IP -i eth0 -p tcp -m tcp --dport _EXT_PORT -j DNAT --to-destination _INT_HOST:_INT_PORT
-A POSTROUTING -s 10.0.1.0/24 -d ! 10.0.1.0/24 -j SNAT --to-source _REAL_IP
COMMIT
# Completed on Thu Nov 21 21:15:39 2002
# Generated by iptables-save v1.2.6a on Thu Nov 21 21:15:39 2002
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Thu Nov 21 21:15:39 2002
# Generated by iptables-save v1.2.6a on Thu Nov 21 21:15:39 2002
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:eth1-in - [0:0]
:eth1-out - [0:0]
:tcprules - [0:0]
-A INPUT -i eth1 -j eth1-in
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A INPUT -s 10.0.1.0/24 -d 10.0.1.1 -i eth0 -j ACCEPT
-A INPUT -s 10.0.1.0/24 -d _REAL_IP -i eth0 -j ACCEPT
-A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -d _REAL_IP -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
-A INPUT -j tcprules
# block :25 to world (only through 10.0.1.1:25)
-A FORWARD -s 10.0.1.0/24 -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j tcprules
-A OUTPUT -o eth1 -j eth1-out
-A eth1-in -j RETURN
-A eth1-out -j RETURN
-A tcprules -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A tcprules -i ! eth1 -m state --state NEW -j ACCEPT
-A tcprules -i eth1 -m state --state INVALID,NEW -j DROP
-A tcprules -i eth1 -j REJECT --reject-with icmp-host-unreachable
COMMIT
# Completed on Thu Nov 21 21:15:39 2002

--d01dLTUuW90fS44H
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=iptables

# Generated by iptables-save v1.2.6a on Thu Nov 21 21:15:39 2002
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d _REAL_IP -i eth0 -p tcp -m tcp --dport _EXT_PORT -j DNAT --to-destination _INT_HOST:_INT_PORT
-A POSTROUTING -s 10.0.1.0/24 -d ! 10.0.1.0/24 -j SNAT --to-source _REAL_IP
COMMIT
# Completed on Thu Nov 21 21:15:39 2002
# Generated by iptables-save v1.2.6a on Thu Nov 21 21:15:39 2002
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Thu Nov 21 21:15:39 2002
# Generated by iptables-save v1.2.6a on Thu Nov 21 21:15:39 2002
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:eth1-in - [0:0]
:eth1-out - [0:0]
:tcprules - [0:0]
-A INPUT -i eth1 -j eth1-in
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A INPUT -s 10.0.1.0/24 -d 10.0.1.1 -i eth0 -j ACCEPT
-A INPUT -s 10.0.1.0/24 -d _REAL_IP -i eth0 -j ACCEPT
-A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -d _REAL_IP -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
-A INPUT -j tcprules
# block :25 to world (only through 10.0.1.1:25)
-A FORWARD -s 10.0.1.0/24 -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j tcprules
-A OUTPUT -o eth1 -j eth1-out
-A eth1-in -j RETURN
-A eth1-out -j RETURN
-A tcprules -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A tcprules -i ! eth1 -m state --state NEW -j ACCEPT
-A tcprules -i eth1 -m state --state INVALID,NEW -j DROP
-A tcprules -i eth1 -j REJECT --reject-with icmp-host-unreachable
COMMIT
# Completed on Thu Nov 21 21:15:39 2002

--d01dLTUuW90fS44H--

--sfyO1m2EN8ZOtJL6
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAtw1fbsPDprYMm3IRAueRAKDGUl28tmP3J8pACHbNlxWI5I14ZgCeIJFy
0D8wXDHsKc4IkWnH/2DdxmM=
=dl2m
-----END PGP SIGNATURE-----

--sfyO1m2EN8ZOtJL6--