From: Alexey Morsov <samurai@ricom.ru>
To: community@altlinux.ru
Subject: Re: [Comm] iptables vs ipchains
Date: Wed, 22 Dec 2004 17:25:48 +0300
Message-ID: <41C983EC.2010702@ricom.ru> (raw)
In-Reply-To: <41C98113.8020607@iop.kiev.ua>
[-- Attachment #1: Type: text/plain, Size: 968 bytes --]
Andriy Dobrovol's'kii wrote:
> Michael Shigorin wrote:
>
>> On Mon, Dec 20, 2004 at 10:33:54PM +0000, Alexey S. Kuznetsov wrote:
>>
> <cut>
>
>> PS: моя дежурная болванка в аттаче, если кто-либо в благодарность
>> проверит, доточит, проверит и предложит в FAQ -- welcome.
>>
> <cut>
>
>>
> Миш, какя ж это болванка, если всюду пробиты конкретные адреса и
> интерфейсы. И никаких коментариев. Откоментированный скрипт её
> генерации с разумно абстрагированными переменными был бы болванкой...
>
> P.S. Могу прислать свою попытку сделать такой, но, она застряла на
> "дверном" варианте и врядли представляет интерес. Уж больно жизнь
> разнообразна...
А вот моя болванка - кому нать - use it or modify :)
Не знаю какая у неё степень "дверности" :)
--
Всего наилучшего,
Системный Администратор ЗАО "ИК "РИКОМ-ТРАСТ"
Алексей Морсов
ICQ: 196766290
Jabber: Samurai@jabber.pibhe.com
http://www.ricom.ru
http://www.fondmarket.ru
[-- Attachment #2: firewall --]
[-- Type: text/plain, Size: 1582 bytes --]
#!/bin/sh
# ÏÂßÑ×ÉÍ ÐÅÒÅÍÅÎÎÙÅ
FW="/sbin/iptables"
LAN_NET="192.168.130.0/24"
LAN_IP="192.168.130.2"
LAN_ETH="eth0"
INET_IP="195.210.171.34"
INET_ETH="eth1"
# ÌÏËÁÌËÁ
LH="127.0.0.1"
PROXY_PORT="3128"
# ÄÌÑ ÍÅÎÑ
COOL_IP="192.168.130.95"
modprobe ip_nat_ftp
# ÍÁÒÛÒÕÔ ÄÌÑ ÐÏÞÔÙ òÉËÏÍ
route add -net 194.247.149.208 netmask 255.255.255.248 gw 192.168.130.1 dev eth0
# ×ÓÅ ÐÒÏÞÉÓÔÉÍ
$FW -t nat -F
$FW -F
$FW -X
# ××ÅÄÅÍ ÃÅÐÏÞËÉ ÄÌÑ ÐÏÄÓÞÅÔÁ ÔÒÁÆÉËÁ
$FW -N OUT_SORTING
$FW -N IN_SORTING
$FW -N TCP_OUT
$FW -N TCP_IN
$FW -N UDP_OUT
$FW -N UDP_IN
# ÎÁ×ÅÄÅÍ ÍÁÓËÁÒÁÄ ÄÌÑ ÓÅÂÑ :)
$FW -t nat -A POSTROUTING -s $LAN_NET -o $INET_ETH -j SNAT --to-source $INET_IP
# ×ÓÅ ×ÓÅÍ ÚÁÐÒÅÔÉÔØ
$FW -P INPUT DROP
$FW -P FORWARD DROP
# ËÒÏÍÅ ÌÏËÁÌØÎÏÇÏ ÈÏÓÔÁ - ÅÍÕ ÍÏÖÎÏ ÈÏÄÉÔØ ËÕÄÁ ÕÇÏÄÎÏ
$FW -P OUTPUT ACCEPT
# Á ÔÅÐÅÒØ ÎÁÞÎÅÍ ÐÒÏÐÉÓÙ×ÁÔØ ÐÒÁ×ÉÌÁ
$FW -A TCP_OUT -j ACCEPT
$FW -A TCP_IN -j ACCEPT
$FW -A UDP_OUT -j ACCEPT
$FW -A UDP_IN -j ACCEPT
$FW -A OUT_SORTING -p tcp -j TCP_OUT
$FW -A OUT_SORTING -p udp -j UDP_OUT
$FW -A OUT_SORTING -j ACCEPT
$FW -A IN_SORTING -p tcp -i $INET_ETH -j TCP_IN
$FW -A IN_SORTING -p udp -i $INET_ETH -j UDP_IN
$FW -A IN_SORTING -j ACCEPT
# ÄÌÑ INPUT
$FW -A INPUT -m state --state ESTABLISHED,RELATED -j IN_SORTING
$FW -A INPUT -m state --state NEW -i ! $INET_ETH -j ACCEPT
# ÄÌÑ FORWARD
# ÄÌÑ Aton-Line
# ÄÌÑ íåîñ
$FW -A FORWARD -p all -i $LAN_ETH -o $INET_ETH -s $COOL_IP -j OUT_SORTING
$FW -A FORWARD -p all -i $INET_ETH -o $LAN_ETH -d $COOL_IP -m state --state ESTABLISHED,RELATED -j IN_SORTING
# ÄÌÑ OUTPUT
$FW -A OUTPUT -o $INET_ETH -j OUT_SORTING
next prev parent reply other threads:[~2004-12-22 14:25 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-16 16:15 [Comm] Как настроить шлюз в инет? Denis Kirienko
2004-12-16 16:29 ` Jury Levykin
2004-12-16 16:43 ` Denis Kirienko
2004-12-16 17:03 ` Denis Kirienko
2004-12-16 20:34 ` Jury Levykin
2004-12-16 20:43 ` Denis Kirienko
2004-12-16 16:30 ` Alexey S. Kuznetsov
2004-12-16 16:35 ` Jury Levykin
2004-12-16 20:08 ` Re[2]: " Alexey S. Kuznetsov
2004-12-16 19:28 ` Sergey Vlasov
2004-12-17 5:59 ` Mike Lykov
2004-12-17 6:15 ` Шишков Евгений
2004-12-17 11:20 ` Re[2]: " Alexey S. Kuznetsov
2004-12-20 15:03 ` Andrey Rahmatullin
2004-12-20 16:28 ` [Comm] " Michael Shigorin
2004-12-20 22:33 ` [Comm] " Alexey S. Kuznetsov
2004-12-20 20:50 ` Denis Kirienko
2004-12-20 23:19 ` Alexey S. Kuznetsov
2004-12-22 13:49 ` [Comm] " Michael Shigorin
2004-12-21 9:55 ` [Comm] " Oleg Shulga
2004-12-21 5:01 ` Mike Lykov
2004-12-22 13:49 ` [Comm] iptables vs ipchains (was: Как настроить шлюз в инет?) Michael Shigorin
2004-12-22 14:13 ` [Comm] iptables vs ipchains Andriy Dobrovol's'kii
2004-12-22 14:25 ` Alexey Morsov [this message]
2004-12-22 14:47 ` Serge Polkovnikov
2004-12-22 14:53 ` Igor Solovyov
2004-12-22 14:59 ` Serge Polkovnikov
2004-12-22 15:00 ` Alexey I. Froloff
2004-12-22 15:43 ` [Comm] iptables vs ipchains [JT] Denis Kirienko
2004-12-22 15:00 ` [Comm] IA: iptables bolvanka, fixed version (was: iptables vs ipchains) Michael Shigorin
2004-12-22 16:22 ` Andrey Rahmatullin
2004-12-22 17:05 ` [Comm] dotfiles.com Michael Shigorin
2004-12-22 17:51 ` [Comm] IA: iptables bolvanka, fixed version (was: iptables vs ipchains) Maxim Tyurin
2004-12-22 15:30 ` [Comm] iptables vs ipchains (was: Как настроить шлюз в инет?) Alexey S. Kuznetsov
2004-12-22 15:39 ` Denis Kirienko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41C983EC.2010702@ricom.ru \
--to=samurai@ricom.ru \
--cc=community@altlinux.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux Community general discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 community community/ http://lore.altlinux.org/community \
mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com
public-inbox-index community
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.community
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git