From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Tue, 2 Nov 2004 10:41:22 +0200 From: Michael Shigorin To: community@altlinux.ru Message-ID: <20041102084122.GY18130@osdn.org.ua> Mail-Followup-To: community@altlinux.ru References: <20041028145800.GE18130@osdn.org.ua> <003201c4c0b7$5fc487c0$0200a8c0@mliner.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uLm21ivgZj9Xvi41" Content-Disposition: inline In-Reply-To: <003201c4c0b7$5fc487c0$0200a8c0@mliner.ru> User-Agent: Mutt/1.4.2.1i Subject: [Comm] Re: =?koi8-r?b?4dfUz9rB0NXTyw==?= IPTABLES X-BeenThere: community@altlinux.ru X-Mailman-Version: 2.1.5 Precedence: list Reply-To: community@altlinux.ru List-Id: Mailing list for ALT Linux users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Nov 2004 08:41:28 -0000 Archived-At: List-Archive: List-Post: --uLm21ivgZj9Xvi41 Content-Type: multipart/mixed; boundary="+5G7L20VUoXZHCOn" Content-Disposition: inline --+5G7L20VUoXZHCOn Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 02, 2004 at 11:38:48AM +0300, sl wrote: > =FE=C9=D4=C1=C0 =C9 =D7=D9=C2=C9=D2=C1=C0 =C4=CC=D1 =CE=C1=DE=C1=CC=C1 = =D0=CF=C4=C8=CF=C4=D1=DD=C9=C5 =CE=C1=D3=D4=D2=CF=CA=CB=C9 > rc.UTIN.firewall (=C9=DA =C4=CF=CB=C9). =F7=CF=D0=D2=CF=D3? =EB=D5=C4=C1= =C4=C1=CE=CE=D9=CA =D3=CB=D2=C9=D0=D4 > =DA=C1=D3=D5=CE=D5=D4=D8. =EB=D5=C4=C1 =C9=CD=C5=CE=CE=CF. =EF=D4=CB=D5=C4=C1 =C4=D2=CF=D7=C9=DB=CB=C9-=D4=CF, =C2=C9=DB=D8 =C4=CF=CB= =C1? =E9 =D7 =DE=A3=CD =D3=CF=C2=D3=D4=D7=C5=CE=CE=CF =DA=C1=C4=C1=DE=C1 =D3=CF= =D3=D4=CF=C9=D4? =E5=D3=CC=C9 iptables =D3=CB=CF=CE=C6=C9=C7=D5=D2=C9=D2=CF=D7=C1=D4=D8 -- = =DC=D4=CF =C2=D9=D7=C1=C5=D4 =D5=C4=CF=C2=CE=C5=C5 =D3=C4=C5=CC=C1=D4=D8 = =CF=C4=C9=CE =D2=C1=DA =DE=C5=CD =D5=C7=CF=C4=CE=CF, =DA=C1=D4=C5=CD service iptables sa= ve =C9 =C4=C1=CC=C5=C5 =D0=D2=CF=D3=D4=CF =D2=C5=C4=C1=CB=D4=C9=D2=CF=D7=C1=D4=D8 /etc/sysconfig/iptables =D3 =D0=CF= =D3=CC=C5=C4=D5=C0=DD=C9=CD service iptables reload; =C5=D3=CC=C9 "=CB=D5=C4=C1 =DA=C1=D0=C9=C8=C1=D4= =D8 =D3=CB=D2=C9=D0=D4" -- =C4=C1 =C8=CF=D4=D8 =C4=A3=D2=CE=D5=D4=D8 =C9=DA /etc/rc.d/rc.local (=D3=CF=DA=C4=C1=D4=D8 =CB= =C1=CB =C9=D3=D0=CF=CC=CE=D1=C5=CD=D9=CA, =C5=D3=CC=C9 =CE=C5=D4) -- =D7=CF=D4 =D4=CF=CC=D8=CB=CF =CF=C2=D9=DE=CE=CF =D7=D3=C5 =DC=D4=C9 "=D3= =CB=D2=C9=D0=D4=D9 =C9=DA =C4=CF=CB=C9 =D0=D2=CF iptables" =CB=D2=C9=D7=D9 =C9 =D5=D6=C1=D3=CE=D9 =C4=CF =CE=C5=D7=CF=DA=CD=CF=D6=CE=CF=C7=CF. =E9=DA= =C7=C4=C5-=D4=CF =D7=C1=CC=D1=D7=DB=C5=CA=D3=D1 =C4=CF=CB=C9, that is. =E3=C5=D0=CC=D1=C0 =D3=D7=CF=C0 =C4=C5=D6=D5=D2=CE=D5=C0 =C2=CF=CC=D7=C1=CE= =CB=D5 =C4=C1=CD=D0=C1 =D0=D2=C1=D7=C9=CC. --=20 ---- WBR, Michael Shigorin ------ Linux.Kiev http://www.linux.kiev.ua/ --+5G7L20VUoXZHCOn Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=iptables # Generated by iptables-save v1.2.6a on Thu Nov 21 21:15:39 2002 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -d _REAL_IP -i eth0 -p tcp -m tcp --dport _EXT_PORT -j DNAT --to-destination _INT_HOST:_INT_PORT -A POSTROUTING -s 10.0.1.0/24 -d ! 10.0.1.0/24 -j SNAT --to-source _REAL_IP COMMIT # Completed on Thu Nov 21 21:15:39 2002 # Generated by iptables-save v1.2.6a on Thu Nov 21 21:15:39 2002 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed on Thu Nov 21 21:15:39 2002 # Generated by iptables-save v1.2.6a on Thu Nov 21 21:15:39 2002 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :eth1-in - [0:0] :eth1-out - [0:0] :tcprules - [0:0] -A INPUT -i eth1 -j eth1-in -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT -A INPUT -s 10.0.1.0/24 -d 10.0.1.1 -i eth0 -j ACCEPT -A INPUT -s 10.0.1.0/24 -d _REAL_IP -i eth0 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset -A INPUT -j tcprules # block :25 to world (only through 10.0.1.1:25) -A FORWARD -s 10.0.1.0/24 -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j tcprules -A OUTPUT -o eth1 -j eth1-out -A eth1-in -j RETURN -A eth1-out -j RETURN -A tcprules -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A tcprules -i ! eth1 -m state --state NEW -j ACCEPT -A tcprules -i eth1 -m state --state INVALID,NEW -j DROP -A tcprules -i eth1 -j REJECT --reject-with icmp-host-unreachable COMMIT # Completed on Thu Nov 21 21:15:39 2002 --+5G7L20VUoXZHCOn-- --uLm21ivgZj9Xvi41 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBh0gybsPDprYMm3IRAgkXAJ97ZO1cWLM3b6HftR2hmoPJ3iNp0QCgmtH4 B1WLwOQCIC6FgdBC2CR8nFk= =cLdc -----END PGP SIGNATURE----- --uLm21ivgZj9Xvi41--