From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Wed, 22 Dec 2004 18:00:04 +0300 From: "Alexey I. Froloff" To: ALT Linux Community Subject: Re: [Comm] iptables vs ipchains Message-ID: <20041222150004.GI544@immo.ru> Mail-Followup-To: ALT Linux Community References: <20041216191505.2f044fc6.kirienko@mccme.ru> <41C98113.8020607@iop.kiev.ua> <41C983EC.2010702@ricom.ru> <200412221647.56030.serge@ukr-fin.com.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KrHCbChajFcK0yQE" Content-Disposition: inline In-Reply-To: <200412221647.56030.serge@ukr-fin.com.ua> User-Agent: Mutt/1.5.6+cvs20041102i X-Virus-Scanned: by amavisd-new at immo.ru X-BeenThere: community@altlinux.ru X-Mailman-Version: 2.1.5 Precedence: list Reply-To: community@altlinux.ru List-Id: Mailing list for ALT Linux users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Dec 2004 15:00:16 -0000 X-List-Received-Date: Wed, 22 Dec 2004 15:00:16 -0000 Archived-At: List-Archive: List-Post: --KrHCbChajFcK0yQE Content-Type: multipart/mixed; boundary="AzNpbZlgThVzWita" Content-Disposition: inline --AzNpbZlgThVzWita Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * Serge Polkovnikov [041222 17:49]: > > =E1 =D7=CF=D4 =CD=CF=D1 =C2=CF=CC=D7=C1=CE=CB=C1 - =CB=CF=CD=D5 =CE=C1= =D4=D8 - use it or modify :) > =EE=D5 =D2=C1=DA =D0=CF=DB=CC=C1 =D4=C1=CB=C1=D1 =D0=D8=D1=CE=CB=C1, =D4= =CF =D7=CF=D4 =D4=CF =DE=D4=CF =D1 =C4=CC=D1 =D3=C5=C2=D1 =D3=C4=C5=CC=C1= =CC... =E1? =FE=D4=CF? =F0=C5=D2=C5=D0=C9=D3=D8? =ED=C5=CE=D1 =D4=CF=D6=C5 =DA=C1=D0=C9=DB=C9=D4=C5 ;-) --=20 Regards, Sir Raorn. ------------------- =FC=CC=C5=CB=D4=D2=C9=DE=C5=D3=D4=D7=C1 =CE=C5=D4, =CE=CF =CD=D9 =D2=C1=C2= =CF=D4=C1=C5=CD! -- aen in devel@ --AzNpbZlgThVzWita Content-Type: application/x-sh Content-Disposition: attachment; filename="fw.sh" Content-Transfer-Encoding: quoted-printable #!/bin/sh=0A=0AIPT=3D"/sbin/iptables"=0A=0Awan_if=3D"ethA"=0Alan_if=3D"ethB= "=0A=0Alan=3D"a.b.c.d/e"=0Awan_ip=3D"f.g.h.i"=0A=0Alan_to_me_allow_tcp=3D"2= 1 22 25 3306"=0Alan_to_me_allow_udp=3D"53"=0A=0Awan_to_me_allow_tcp=3D"22"= =0Awan_to_me_allow_udp=3D""=0A=0Aicmp_allow=3D"3 5 8 11 12"=0A=0Achains=3D`= cat /proc/net/ip_tables_names 2>/dev/null`=0Afor i in $chains; do=0A $IPT = -t $i -F=0A $IPT -t $i -X=0Adone=0A=0A$IPT -P INPUT DROP =0A$IPT -P FORWAR= D DROP=0A$IPT -P OUTPUT ACCEPT=0A=0Aif [ -n "$icmp_allow" ]; then=0A for ty= pe in $icmp_allow; do=0A $IPT -A INPUT -p icmp --icmp-type $type -j ACCEPT= =0A $IPT -A FORWARD -p icmp --icmp-type $type -j ACCEPT=0A done=0Afi=0A=0A= $IPT -A FORWARD -i $lan_if -s $lan -m state --state NEW -j ACCEPT=0A$IPT -A= FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT=0A=0A$IPT -A INPUT = -i $wan_if -p all -s 10.0.0.0/8 -j DROP=0A$IPT -A INPUT -i $wan_if -p all -= s 172.16.0.0/12 -j DROP=0A$IPT -A INPUT -i $wan_if -p all -s 192.168.0.0/16= -j DROP=0A$IPT -A INPUT -i $lan_if -p all -s ! $lan -j DROP=0A=0A$IPT -A I= NPUT -p tcp ! --syn -m state --state NEW -j DROP=0A=0A$IPT -A INPUT -m stat= e --state ESTABLISHED,RELATED -j ACCEPT=0A=0Aif [ -n "$wan_to_me_allow_tcp"= ]; then=0A for port in $wan_to_me_allow_tcp; do=0A $IPT -A INPUT -p tcp -= i $wan_if --dport $port -j ACCEPT=0A $IPT -A INPUT -p tcp -i lo --dport $p= ort -j ACCEPT=0A done=0Afi=0A=0Aif [ -n "$wan_to_me_allow_udp" ]; then=0A f= or port in $wan_to_me_allow_udp; do=0A $IPT -A INPUT -p udp -i $wan_if --d= port $port -j ACCEPT=0A $IPT -A INPUT -p udp -i lo --dport $port -j ACCEPT= =0A done=0Afi=0A=0Aif [ -n "$lan_to_me_allow_tcp" ]; then=0A for port in $l= an_to_me_allow_tcp; do=0A $IPT -A INPUT -p tcp -i $lan_if --dport $port -j= ACCEPT=0A $IPT -A INPUT -p tcp -i lo --dport $port -j ACCEPT=0A done=0Afi= =0A=0Aif [ -n "$lan_to_me_allow_udp" ]; then=0A for port in $lan_to_me_allo= w_udp; do=0A $IPT -A INPUT -p udp -i $lan_if --dport $port -j ACCEPT=0A $= IPT -A INPUT -p udp -i lo --dport $port -j ACCEPT=0A done=0Afi=0A=0A$IPT -t= nat -A POSTROUTING -o $wan_if -j SNAT --to-source $wan_ip=0A=0A --AzNpbZlgThVzWita-- --KrHCbChajFcK0yQE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFByYv0VqT7+fkT8woRAim+AKDeNd/dNtDEUKNgkM19fLde6FseVACgp6/i yDxhRTc5XSBwJn4s59MnLhQ= =jMx/ -----END PGP SIGNATURE----- --KrHCbChajFcK0yQE--