From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <egorov@strat.chtts.ru>
Message-ID: <4330F83C.8040707@strat.chtts.ru>
Date: Wed, 21 Sep 2005 10:05:48 +0400
From: Egorov Alexey <egorov@strat.chtts.ru>
User-Agent: Thunderbird 1.4 (Windows/20050908)
MIME-Version: 1.0
To: ALT Linux Community <community@altlinux.ru>
Subject: Re: [Comm] =?KOI8-R?Q?=F0=CF=CD=CF=C7=C9=D4=C5=2C_kernel_pan?=
	=?KOI8-R?Q?ic?=
References: <4330EB5E.3030309@strat.chtts.ru> <20050921055118.GK3908@ldc.net>
In-Reply-To: <20050921055118.GK3908@ldc.net>
Content-Type: text/plain; charset=KOI8-R; format=flowed
Content-Transfer-Encoding: 8bit
X-BeenThere: community@altlinux.ru
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: ALT Linux Community <community@altlinux.ru>
List-Id: ALT Linux Community <community.altlinux.ru>
List-Unsubscribe: <https://lists.altlinux.ru/mailman/listinfo/community>,
	<mailto:community-request@altlinux.ru?subject=unsubscribe>
List-Archive: <http://lists.altlinux.ru/pipermail/community>
List-Post: <mailto:community@altlinux.ru>
List-Help: <mailto:community-request@altlinux.ru?subject=help>
List-Subscribe: <https://lists.altlinux.ru/mailman/listinfo/community>,
	<mailto:community-request@altlinux.ru?subject=subscribe>
X-List-Received-Date: Wed, 21 Sep 2005 06:08:32 -0000
Archived-At: <http://lore.altlinux.org/community/4330F83C.8040707@strat.chtts.ru/>
List-Archive: <http://lore.altlinux.org/community/>
List-Post: <mailto:mandrake-russian@linuxteam.iplabs.ru>

Dmytro O. Redchuk wrote:
> On Wed, Sep 21, 2005 at 09:10:54AM +0400, Egorov Alexey wrote:
>   
> А что в iptables?
>
> (У меня были падения при разных играх с RELATED,ESTABLISHED для tftpd)
>
> А ядро какое?
>
> (Я переставил на alt12 -- и остановил эксперименты:)
>   
Ядро kernel-image-std-up-2.4.26-alt12.i586.rpm из updates
Вот iptables (сильно не ругайте если что):
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
$IPTABLES -N allowed
$IPTABLES -A allowed -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 50 
--ulog-cprange 100 --ulog-prefix allow
$IPTABLES -A allowed -j ACCEPT
$IPTABLES -N rejected
$IPTABLES -A rejected -j ULOG --ulog-nlgroup 1 --ulog-qthreshold 50 
--ulog-cprange 100 --ulog-prefix drop
$IPTABLES -A rejected -j DROP
#
$IPTABLES -N bad_packets
$IPTABLES -N good_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
#
$IPTABLES -A bad_packets -p TCP --tcp-flags SYN,ACK SYN,ACK -m state 
--state NEW -j rejected
$IPTABLES -A bad_packets -p TCP ! --syn -m state --state NEW -j rejected
$IPTABLES -A bad_packets -m state --state INVALID -j rejected
#
$IPTABLES -A good_packets -m state --state ESTABLISHED,RELATED -j allowed
#
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 53 -j allowed
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 135:139 -j rejected
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j rejected
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j allowed
$IPTABLES -A icmp_packets -p ICMP --fragment -j rejected
#
$IPTABLES -A INPUT -i ! $INET_DEVICE -j allowed
$IPTABLES -A INPUT -i $INET_DEVICE -j bad_packets
$IPTABLES -A INPUT -i $INET_DEVICE -j good_packets
$IPTABLES -A INPUT -i $INET_DEVICE -p UDP -j udp_packets
$IPTABLES -A INPUT -i $INET_DEVICE -p ICMP -j icmp_packets
$IPTABLES -A INPUT -i $INET_DEVICE -j rejected
#
$IPTABLES -A FORWARD -i ! $INET_DEVICE -j allowed
$IPTABLES -A FORWARD -i $INET_DEVICE -j bad_packets
$IPTABLES -A FORWARD -i $INET_DEVICE -j good_packets
$IPTABLES -A FORWARD -i $INET_DEVICE -j rejected
#
$IPTABLES -A OUTPUT -j allowed
#
# NAT
$IPTABLES -t nat -A POSTROUTING -o $INET_DEVICE -s $LOCAL_IP -j SNAT 
--to $INET_ADDR