From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Wed, 22 Dec 2004 17:00:31 +0200 From: Michael Shigorin To: community@altlinux.ru Message-ID: <20041222150031.GP9534@osdn.org.ua> Mail-Followup-To: community@altlinux.ru, bloodmary@altlinux.ru References: <20041216191505.2f044fc6.kirienko@mccme.ru> <5310135056.20041216183044@vostok.net.ua> <200412170959.16137.combr@vesna.ru> <1988056954.20041217132020@vostok.net.ua> <20041220150308.GO27134@wrars-comp.wrarsdomain> <41C75352.7050103@vostok.net.ua> <20041222134903.GF9534@osdn.org.ua> <41C98113.8020607@iop.kiev.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="6e7ZaeXHKrTJCxdu" Content-Disposition: inline In-Reply-To: <41C98113.8020607@iop.kiev.ua> User-Agent: Mutt/1.4.2.1i Cc: bloodmary@altlinux.ru Subject: [Comm] IA: iptables bolvanka, fixed version (was: iptables vs ipchains) X-BeenThere: community@altlinux.ru X-Mailman-Version: 2.1.5 Precedence: list Reply-To: community@altlinux.ru List-Id: Mailing list for ALT Linux users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Dec 2004 15:00:46 -0000 Archived-At: List-Archive: List-Post: --6e7ZaeXHKrTJCxdu Content-Type: multipart/mixed; boundary="LTeJQqWS0MN7I/qa" Content-Disposition: inline --LTeJQqWS0MN7I/qa Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 22, 2004 at 04:13:39PM +0200, Andriy Dobrovol's'kii wrote: > >PS: =CD=CF=D1 =C4=C5=D6=D5=D2=CE=C1=D1 =C2=CF=CC=D7=C1=CE=CB=C1 =D7 =C1= =D4=D4=C1=DE=C5, =C5=D3=CC=C9 =CB=D4=CF-=CC=C9=C2=CF =D7 =C2=CC=C1=C7=CF=C4= =C1=D2=CE=CF=D3=D4=D8 > >=D0=D2=CF=D7=C5=D2=C9=D4, =C4=CF=D4=CF=DE=C9=D4, =D0=D2=CF=D7=C5=D2=C9= =D4 =C9 =D0=D2=C5=C4=CC=CF=D6=C9=D4 =D7 FAQ -- welcome. > =ED=C9=DB, =CB=C1=CB=D1 =D6 =DC=D4=CF =C2=CF=CC=D7=C1=CE=CB=C1, =C5=D3=CC= =C9 =D7=D3=C0=C4=D5 =D0=D2=CF=C2=C9=D4=D9 =CB=CF=CE=CB=D2=C5=D4=CE=D9=C5 = =C1=C4=D2=C5=D3=C1 =F4=CF=CC=D8=CB=CF =CE=C5 =D7=D3=C0=C4=D5, =D4=C1=CD =C5=D3=D4=D8 _REAL_IP = :) =F0=CF=C4=D2=C1=DA=D5=CD=C5=D7=C1=C5=D4=D3=D1: =CD=C9=D2 =DE=C5=D2=C5=DA et= h0 (_REAL_IP) =C4=CF=D3=D4=D5=D0=C5=CE =D7 =CC=CF=CB=C1=CC=D8=CE=CF=CA =D3=C5=D4=C9 10.0.1.0/24 =DE=C5=D2=C5=DA =C9=CE=D4=C5=D2=C6=C5=CA=D3 eth1 (= 10.0.1.1). =F0=D2=C9 =DC=D4=CF=CD =D3=CE=C1=D2=D5=D6=C9 =CF=D4=CB=D2=D9=D4 =D3=D0=C5= =C3=C9=C6=C9=C3=C9=D2=CF=D7=C1=CE=CE=D9=CA =D3=D0=C9=D3=CF=CB =D0=CF=D2=D4= =CF=D7 =C9 RELATED packets, =CF=D2=C7=C1=CE=C9=DA=CF=D7=C1=CE=D9 =C3=C5=D0=CF=DE=CB=C9 =C4=CC= =D1 =D0=CF=C4=D3=DE=A3=D4=C1 =D4=D2=C1=C6=C9=CB=C1 (eth1-in =C9 eth1-out), ....=D5=D0=D3. =F0=C5=D2=C5=DE=C9=D4=C1=CC =D3=CB=D2=C9=D0=D4, =D0=CF=DE=C5=D3=C1=CC =D7 = =DA=C1=D4=D9=CC=CB=C5, =DE=D4=CF =CE=C1 originating host =D5=D6=C5 =C4=C1=D7=CE=CF =CE=C5 =C4=CF=C2=D2=C1=D4=D8=D3=D1 (=DA=C5=CD=CC=D1 =D4=CF= =CA =CB=CF=CE=D4=CF=D2=C5 =D0=D5=C8=CF=CD), =D0=CF=D2=C1=D3=D3=D4=C1=D7=CC= =D1=CC eth0 =C9 eth1 _=C1=C4=C5=CB=D7=C1=D4=CE=CF_ =C1=C4=D2=C5=D3=C1=CD =C9 =DA=C1=CF=C4= =CE=CF =C4=CF=C2=C1=D7=C9=CC =CB=CF=CD=CD=C5=CE=D4=C1=D2=C9=C5=D7. =F0=D2=C5=C4=D9=C4=D5=DD=D5=C0 =D7=C5=D2=D3=C9=C0 =D3=DE=C9=D4=C1=D4=D8 =CE= =C5 =C2=CF=CC=D7=C1=CE=CB=CF=CA, =C1 =D0=D2=CF=D7=CF=CB=C1=C3=C9=C5=CA, =C2= =CF=CC=D7=C1=CE=CB=CF=CA =D6=C5 =D3=DE=C9=D4=C1=D4=D8 =D0=D2=C9=CC=CF=D6=C5=CE=CE=D5=C0 :-) > =C9 =C9=CE=D4=C5=D2=C6=C5=CA=D3=D9. =E9 =CE=C9=CB=C1=CB=C9=C8 =CB=CF=CD= =C5=CE=D4=C1=D2=C9=C5=D7. =F7=CF=D4 =D0=CF=D4=CF=CD=D5 =D4=C1=CB =C9 =CF=C8=C1=D2=C1=CB=D4=C5=D2=C9= =DA=CF=D7=C1=CC, =C9 bloodmary@ =CE=C1 =C4=CE=D1=C8 =CF=D4=CB=C1=DA=C1=CC =D0=CF=D7=C5=D3=C9=D4=D8 =D7 FAQ. (=C1 =D7=CF=D4 =D4=C5=D0=C5=D2=D8 =C2=CC= =C9=D6=C5 =CB =D4=C5=D2=D0=C9=CD=CF=CD=D5) > =EF=D4=CB=CF=CD=C5=CE=D4=C9=D2=CF=D7=C1=CE=CE=D9=CA =D3=CB=D2=C9=D0=D4 = =C5=A3 =C7=C5=CE=C5=D2=C1=C3=C9=C9 =D3 =D2=C1=DA=D5=CD=CE=CF > =C1=C2=D3=D4=D2=C1=C7=C9=D2=CF=D7=C1=CE=CE=D9=CD=C9 =D0=C5=D2=C5=CD=C5=CE= =CE=D9=CD=C9 =C2=D9=CC =C2=D9 =C2=CF=CC=D7=C1=CE=CB=CF=CA... =EE=C5, =DC=D4=CF =C2=D9=CC =C2=D9 =C5=DD=A3 =CF=C4=C9=CE =D3=CB=D2=C9=D0= =D4 =C7=C5=CE=C5=D2=C1=C3=C9=C9, =CB=CF=D4=CF=D2=D9=CA =CD=CE=C5 =CE=C1=C6= =C9=C7 =CE=C5 =D5=D0=C1=CC, =D0=CF=D3=CB=CF=CC=D8=CB=D5 =DC=D4=C1 =C2=CF=CC=D7=C1=CE=CB= =C1 _=C4=CC=D1 =CD=C5=CE=D1_ =D0=D2=C5=D7=D2=C1=DD=C1=C5=D4=D3=D1 =D7 =D2= =C1=C2=CF=DE=D5=C0 =DA=C1 =D0=C1=D2=D5 =CD=C9=CE=D5=D4 =D7 =D2=C5=C4=C1=CB=D4=CF=D2=C5. > P.S. =ED=CF=C7=D5 =D0=D2=C9=D3=CC=C1=D4=D8 =D3=D7=CF=C0 =D0=CF=D0=D9=D4= =CB=D5 =D3=C4=C5=CC=C1=D4=D8 =D4=C1=CB=CF=CA, =CE=CF, =CF=CE=C1 =DA=C1=D3= =D4=D2=D1=CC=C1 > =CE=C1 "=C4=D7=C5=D2=CE=CF=CD" =D7=C1=D2=C9=C1=CE=D4=C5 =C9 =D7=D2=D1=C4= =CC=C9 =D0=D2=C5=C4=D3=D4=C1=D7=CC=D1=C5=D4 =C9=CE=D4=C5=D2=C5=D3. =F5=D6 = =C2=CF=CC=D8=CE=CF > =D6=C9=DA=CE=D8 =D2=C1=DA=CE=CF=CF=C2=D2=C1=DA=CE=C1... =F7=D0=CF=D2=D5 dotfiles.altlinux.ru =C4=C5=CC=C1=D4=D8 =D0=CF =CD=CF=D4=C9= =D7=C1=CD dotfiles.com :-) --=20 ---- WBR, Michael Shigorin ------ Linux.Kiev http://www.linux.kiev.ua/ --LTeJQqWS0MN7I/qa Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=iptables # setup: # world<->eth0[_REAL_IP]:::eth1[10.0.0.254]<->LAN # _REAL_IP:_EXT_PORT is port-forwarded to _INT_HOST:_INT_PORT # everything from inside gets masqueraded, # with a few host-specific exceptions; # everything from outside gets dropped unless # targets explicitly allowed port # or is a response to our request # eth0-in/eth0-out count [paid] external traffic # Generated by iptables-save v1.2.6a on Thu Nov 21 21:15:39 2002 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -d _REAL_IP -i eth0 -p tcp -m tcp --dport _EXT_PORT -j DNAT --to-destination _INT_HOST:_INT_PORT -A POSTROUTING -s 10.0.0.0/24 -d ! 10.0.0.0/24 -j SNAT --to-source _REAL_IP COMMIT # Completed on Thu Nov 21 21:15:39 2002 # Generated by iptables-save v1.2.6a on Thu Nov 21 21:15:39 2002 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed on Thu Nov 21 21:15:39 2002 # Generated by iptables-save v1.2.6a on Thu Nov 21 21:15:39 2002 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :eth0-in - [0:0] :eth0-out - [0:0] :tcprules - [0:0] -A INPUT -i eth0 -j eth0-in -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT -A INPUT -s 10.0.0.0/24 -d 10.0.0.254 -i eth1 -j ACCEPT -A INPUT -s 10.0.0.0/24 -d _REAL_IP -i eth1 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset -A INPUT -j tcprules # block :25 to world (only through 10.0.0.1:25) -A FORWARD -s 10.0.0.0/24 -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j tcprules -A OUTPUT -o eth0 -j eth0-out -A eth0-in -j RETURN -A eth0-out -j RETURN -A tcprules -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A tcprules -i ! eth0 -m state --state NEW -j ACCEPT -A tcprules -i eth0 -m state --state INVALID,NEW -j DROP -A tcprules -i eth0 -j REJECT --reject-with icmp-host-unreachable COMMIT # Completed on Thu Nov 21 21:15:39 2002 --LTeJQqWS0MN7I/qa-- --6e7ZaeXHKrTJCxdu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFByYwPbsPDprYMm3IRAszvAJ0T60O5fng1QxVJolWTKeMMzK1q5wCgg82Q 3MhobMOwFtCZv4NjxKYHOjo= =Hylj -----END PGP SIGNATURE----- --6e7ZaeXHKrTJCxdu--