From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Wed, 22 Dec 2004 15:49:03 +0200 From: Michael Shigorin To: community@altlinux.ru Message-ID: <20041222134903.GF9534@osdn.org.ua> Mail-Followup-To: community@altlinux.ru References: <20041216191505.2f044fc6.kirienko@mccme.ru> <5310135056.20041216183044@vostok.net.ua> <200412170959.16137.combr@vesna.ru> <1988056954.20041217132020@vostok.net.ua> <20041220150308.GO27134@wrars-comp.wrarsdomain> <41C75352.7050103@vostok.net.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="zx4FCpZtqtKETZ7O" Content-Disposition: inline In-Reply-To: <41C75352.7050103@vostok.net.ua> User-Agent: Mutt/1.4.2.1i Subject: [Comm] iptables vs ipchains (was: =?koi8-r?b?68HLIM7B09TSz8nU2CDbzMDa?= =?koi8-r?b?INcgyc7F1D8p?= X-BeenThere: community@altlinux.ru X-Mailman-Version: 2.1.5 Precedence: list Reply-To: community@altlinux.ru List-Id: Mailing list for ALT Linux users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Dec 2004 13:49:10 -0000 Archived-At: List-Archive: List-Post: --zx4FCpZtqtKETZ7O Content-Type: multipart/mixed; boundary="ew6BAiZeqk4r7MaW" Content-Disposition: inline --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 20, 2004 at 10:33:54PM +0000, Alexey S. Kuznetsov wrote: > >>=F0=D5=D3=D4=D8 =DE=C5=CC=CF=D7=C5=CB =CE=C1=DE=CE=A3=D4 =D3 =D3=C1=CD= =CF=C7=CF =CE=C1=DE=C1=CC=C1, =D0=CF=D4=CF=CD =C2=D5=C4=C5=D4 =D0=C5=D2=C5= =C8=CF=C4=C9=D4=D8 > >>=CE=C1 =C2=CF=CC=C5=C5 =CE=CF=D7=D9=C5 =DB=CE=D1=C7=C9 :-) > >=F3=CD=D9=D3=CC?=20 > =EE=D5=D6=CE=CF =D0=CF=CE=C9=CD=C1=D4=D8 =CB=CF=CE=C3=C5=D0=C3=C9=C0, =C1= =CE=C5 =D4=D5=D0=CF =DA=C1=D5=DE=C9=D7=C1=D4=D8 =CB=CF=CD=CD=C1=CE=C4=D9. = =F1 > =D3=DE=C9=D4=C1=C0, =DE=D4=CF =CE=D5=D6=CE=CF =DA=CE=C1=D4=D8 =C9 =D3=D4= =C1=D2=D9=C5 =D7=C5=D2=D3=C9=C9 =D3=CF=C6=D4=C1 =C9 =CE=CF=D7=D9=C5. =E4=D2=D5=D6=C9=DD=C5, =CF=C2=DF=D1=D3=CE=C9=D4=C5 =CD=CE=C5, =D4=D5=D0=CF= =CD=D5, =CB=C1=CB=C1=D1-=D4=C1=CB=C1=D1 =CB=CF=CE=C3=C5=D0=C3=C9=D1 =D7 ipc= hains =C9 =D7 =DE=A3=CD =D3=CD=D9=D3=CC =C9=D3=D0=CF=CC=D8=DA=CF=D7=C1=D4=D8 =C5= =C7=CF (=D5=D6 ipfwadm =D4=CF=C7=C4=C1) =D0=CF=C4 =D3=CF=D7=D2=C5=CD=C5=CE=CE=D9=CD=C9 =D1=C4=D2=C1=CD=C9, =D0=CF=CD=C9=CD=CF= =C2=D9=D3=D4=D2=CF=C7=CF =D0=CF=D2=D4=C9=D2=CF=D7=C1=CE=C9=D1 (=C9 =D4=CF = =C5=D3=D4=D8 =CE=C0=C1=CE=D3=D9 =D7=D2=CF=C4=C5 =D2=C1=DA=CC=C9=DE=CE=CF=C7=CF =D0=CF=D7= =C5=C4=C5=CE=C9=D1 ipchains -L -z =D0=CF=C4 2.2 =C9 2.4)? =F1 =D7=CF=D4 =D3=CB=C1=D6=D5, =DE=D4=CF =CE=CF=D2=CD=C1=CC=D8=CE=D9=CA =C6= =C1=CA=D2=D7=CF=CC =D0=CF=D3=D4=D2=CF=C9=D4=D8 =CE=C1 iptables -- =C7=CF=D2=C1=DA=C4=CF =CD=C5=CE=D8=DB=C5 =C7=CF=CC=CF=D7=CE=CF=CA =C2=CF=CC= =C9 =C9 =CB=D5=C4=C1 =DC=C6=C6=C5=CB=D4=C9=D7=CE=C5=CA, =DE=C5=CD =CE=C1 ip= chains =C9 =D0=D2=C5=C4=D9=C4=D5=DD=C5=CD ipfwadm -- =D5=D6=C5 =C2=CC=C1=C7=CF=C4= =C1=D2=D1 statefullness, =C2=C9=DB=D8 =D4=CF=CD=D5, =DE=D4=CF =CD=CF=D6=CE=CF =D3=D3=D9=CC=C1=D4=D8=D3=D1 =CE=C1 =D3=CF=C5=C4= =C9=CE=C5=CE=C9=D1, =CE=C1=D0=D2=C9=CD=C5=D2, =D3=CB=C1=DA=C1=D7 "=D0=D2=C9= =CE=C9=CD=C1=D4=D8 =CF=D4=D7=C5=D4=D9 =CE=C1 =D4=CF, =DE=D4=CF =C9=CE=C9=C3=C9=C9=D2=CF=D7=C1= =CE=CF =CF=D4 =CE=C1=D3". PS: =CD=CF=D1 =C4=C5=D6=D5=D2=CE=C1=D1 =C2=CF=CC=D7=C1=CE=CB=C1 =D7 =C1=D4= =D4=C1=DE=C5, =C5=D3=CC=C9 =CB=D4=CF-=CC=C9=C2=CF =D7 =C2=CC=C1=C7=CF=C4=C1= =D2=CE=CF=D3=D4=D8 =D0=D2=CF=D7=C5=D2=C9=D4, =C4=CF=D4=CF=DE=C9=D4, =D0=D2=CF=D7=C5=D2=C9=D4 = =C9 =D0=D2=C5=C4=CC=CF=D6=C9=D4 =D7 FAQ -- welcome. --=20 ---- WBR, Michael Shigorin ------ Linux.Kiev http://www.linux.kiev.ua/ --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=iptables # Generated by iptables-save v1.2.6a on Thu Nov 21 21:15:39 2002 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -d _REAL_IP -i eth0 -p tcp -m tcp --dport _EXT_PORT -j DNAT --to-destination _INT_HOST:_INT_PORT -A POSTROUTING -s 10.0.1.0/24 -d ! 10.0.1.0/24 -j SNAT --to-source _REAL_IP COMMIT # Completed on Thu Nov 21 21:15:39 2002 # Generated by iptables-save v1.2.6a on Thu Nov 21 21:15:39 2002 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed on Thu Nov 21 21:15:39 2002 # Generated by iptables-save v1.2.6a on Thu Nov 21 21:15:39 2002 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :eth1-in - [0:0] :eth1-out - [0:0] :tcprules - [0:0] -A INPUT -i eth1 -j eth1-in -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT -A INPUT -s 10.0.1.0/24 -d 10.0.1.1 -i eth0 -j ACCEPT -A INPUT -s 10.0.1.0/24 -d _REAL_IP -i eth0 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset -A INPUT -j tcprules # block :25 to world (only through 10.0.1.1:25) -A FORWARD -s 10.0.1.0/24 -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j tcprules -A OUTPUT -o eth1 -j eth1-out -A eth1-in -j RETURN -A eth1-out -j RETURN -A tcprules -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A tcprules -i ! eth1 -m state --state NEW -j ACCEPT -A tcprules -i eth1 -m state --state INVALID,NEW -j DROP -A tcprules -i eth1 -j REJECT --reject-with icmp-host-unreachable COMMIT # Completed on Thu Nov 21 21:15:39 2002 --ew6BAiZeqk4r7MaW-- --zx4FCpZtqtKETZ7O Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFByXtPbsPDprYMm3IRAsqmAKC7g14bZ4dkLraBFcV1bFusPd9fdgCbBoKv AJmioQxnjRiR9XiK99hDXgI= =JUxk -----END PGP SIGNATURE----- --zx4FCpZtqtKETZ7O--