From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <raorn@immo.ru>
Date: Wed, 22 Dec 2004 18:00:04 +0300
From: "Alexey I. Froloff" <raorn@immo.ru>
To: ALT Linux Community <community@altlinux.ru>
Subject: Re: [Comm] iptables vs ipchains
Message-ID: <20041222150004.GI544@immo.ru>
Mail-Followup-To: ALT Linux Community <community@altlinux.ru>
References: <20041216191505.2f044fc6.kirienko@mccme.ru>
	<41C98113.8020607@iop.kiev.ua> <41C983EC.2010702@ricom.ru>
	<200412221647.56030.serge@ukr-fin.com.ua>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="KrHCbChajFcK0yQE"
Content-Disposition: inline
In-Reply-To: <200412221647.56030.serge@ukr-fin.com.ua>
User-Agent: Mutt/1.5.6+cvs20041102i
X-Virus-Scanned: by amavisd-new at immo.ru
X-BeenThere: community@altlinux.ru
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: community@altlinux.ru
List-Id: Mailing list for ALT Linux users <community.altlinux.ru>
List-Unsubscribe: <https://lists.altlinux.ru/mailman/listinfo/community>,
	<mailto:community-request@altlinux.ru?subject=unsubscribe>
List-Archive: <http://lists.altlinux.ru/pipermail/community>
List-Post: <mailto:community@altlinux.ru>
List-Help: <mailto:community-request@altlinux.ru?subject=help>
List-Subscribe: <https://lists.altlinux.ru/mailman/listinfo/community>,
	<mailto:community-request@altlinux.ru?subject=subscribe>
X-List-Received-Date: Wed, 22 Dec 2004 15:00:16 -0000
X-List-Received-Date: Wed, 22 Dec 2004 15:00:16 -0000
Archived-At: <http://lore.altlinux.org/community/20041222150004.GI544@immo.ru/>
List-Archive: <http://lore.altlinux.org/community/>
List-Post: <mailto:mandrake-russian@linuxteam.iplabs.ru>


--KrHCbChajFcK0yQE
Content-Type: multipart/mixed; boundary="AzNpbZlgThVzWita"
Content-Disposition: inline


--AzNpbZlgThVzWita
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* Serge Polkovnikov <serge@> [041222 17:49]:
> > =E1 =D7=CF=D4 =CD=CF=D1 =C2=CF=CC=D7=C1=CE=CB=C1 - =CB=CF=CD=D5 =CE=C1=
=D4=D8 - use it or modify :)
> =EE=D5 =D2=C1=DA =D0=CF=DB=CC=C1 =D4=C1=CB=C1=D1 =D0=D8=D1=CE=CB=C1, =D4=
=CF =D7=CF=D4 =D4=CF =DE=D4=CF =D1 =C4=CC=D1 =D3=C5=C2=D1 =D3=C4=C5=CC=C1=
=CC...
=E1?  =FE=D4=CF?  =F0=C5=D2=C5=D0=C9=D3=D8?

=ED=C5=CE=D1 =D4=CF=D6=C5 =DA=C1=D0=C9=DB=C9=D4=C5 ;-)

--=20
Regards, Sir Raorn.
-------------------
=FC=CC=C5=CB=D4=D2=C9=DE=C5=D3=D4=D7=C1 =CE=C5=D4, =CE=CF =CD=D9 =D2=C1=C2=
=CF=D4=C1=C5=CD!
		-- aen in devel@

--AzNpbZlgThVzWita
Content-Type: application/x-sh
Content-Disposition: attachment; filename="fw.sh"
Content-Transfer-Encoding: quoted-printable

#!/bin/sh=0A=0AIPT=3D"/sbin/iptables"=0A=0Awan_if=3D"ethA"=0Alan_if=3D"ethB=
"=0A=0Alan=3D"a.b.c.d/e"=0Awan_ip=3D"f.g.h.i"=0A=0Alan_to_me_allow_tcp=3D"2=
1 22 25 3306"=0Alan_to_me_allow_udp=3D"53"=0A=0Awan_to_me_allow_tcp=3D"22"=
=0Awan_to_me_allow_udp=3D""=0A=0Aicmp_allow=3D"3 5 8 11 12"=0A=0Achains=3D`=
cat /proc/net/ip_tables_names 2>/dev/null`=0Afor i in $chains; do=0A		$IPT =
-t $i -F=0A		$IPT -t $i -X=0Adone=0A=0A$IPT -P INPUT DROP =0A$IPT -P FORWAR=
D DROP=0A$IPT -P OUTPUT ACCEPT=0A=0Aif [ -n "$icmp_allow" ]; then=0A	for ty=
pe in $icmp_allow; do=0A		$IPT -A INPUT -p icmp --icmp-type $type -j ACCEPT=
=0A		$IPT -A FORWARD -p icmp --icmp-type $type -j ACCEPT=0A	done=0Afi=0A=0A=
$IPT -A FORWARD -i $lan_if -s $lan -m state --state NEW -j ACCEPT=0A$IPT -A=
 FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT=0A=0A$IPT -A INPUT =
-i $wan_if -p all -s 10.0.0.0/8 -j DROP=0A$IPT -A INPUT -i $wan_if -p all -=
s 172.16.0.0/12 -j DROP=0A$IPT -A INPUT -i $wan_if -p all -s 192.168.0.0/16=
 -j DROP=0A$IPT -A INPUT -i $lan_if -p all -s ! $lan -j DROP=0A=0A$IPT -A I=
NPUT -p tcp ! --syn -m state --state NEW -j DROP=0A=0A$IPT -A INPUT -m stat=
e --state ESTABLISHED,RELATED -j ACCEPT=0A=0Aif [ -n "$wan_to_me_allow_tcp"=
 ]; then=0A	for port in $wan_to_me_allow_tcp; do=0A		$IPT -A INPUT -p tcp -=
i $wan_if --dport $port -j ACCEPT=0A		$IPT -A INPUT -p tcp -i lo --dport $p=
ort -j ACCEPT=0A	done=0Afi=0A=0Aif [ -n "$wan_to_me_allow_udp" ]; then=0A	f=
or port in $wan_to_me_allow_udp; do=0A		$IPT -A INPUT -p udp -i $wan_if --d=
port $port -j ACCEPT=0A		$IPT -A INPUT -p udp -i lo --dport $port -j ACCEPT=
=0A	done=0Afi=0A=0Aif [ -n "$lan_to_me_allow_tcp" ]; then=0A	for port in $l=
an_to_me_allow_tcp; do=0A		$IPT -A INPUT -p tcp -i $lan_if --dport $port -j=
 ACCEPT=0A		$IPT -A INPUT -p tcp -i lo --dport $port -j ACCEPT=0A	done=0Afi=
=0A=0Aif [ -n "$lan_to_me_allow_udp" ]; then=0A	for port in $lan_to_me_allo=
w_udp; do=0A		$IPT -A INPUT -p udp -i $lan_if --dport $port -j ACCEPT=0A		$=
IPT -A INPUT -p udp -i lo --dport $port -j ACCEPT=0A	done=0Afi=0A=0A$IPT -t=
 nat -A POSTROUTING -o $wan_if -j SNAT --to-source $wan_ip=0A=0A
--AzNpbZlgThVzWita--

--KrHCbChajFcK0yQE
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFByYv0VqT7+fkT8woRAim+AKDeNd/dNtDEUKNgkM19fLde6FseVACgp6/i
yDxhRTc5XSBwJn4s59MnLhQ=
=jMx/
-----END PGP SIGNATURE-----

--KrHCbChajFcK0yQE--