From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Thu, 27 Feb 2003 12:36:20 +0300 From: =?koi8-r?B?8M/Mz9fOycvP1yDkxc7J0w==?= X-Mailer: The Bat! (v1.62 Christmas Edition) UNREG / CD5BF9353B3B7091 Organization: =?koi8-r?B?6+IgIvTSwc7T0M/S1M7ZyiI=?= X-Priority: 3 (Normal) Message-ID: <85161533406.20030227123620@transbank.ru> To: Dmitry Lebkov Subject: Re[4]: [Comm] IPtables In-Reply-To: <20030227183551.5c41d454.dima@sakhalin.ru> References: <10185641140.20030226153128@transbank.ru> <20030226124638.GI10970@hell.immo> <197149302796.20030227091229@transbank.ru> <20030227183551.5c41d454.dima@sakhalin.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: community-admin@altlinux.ru Errors-To: community-admin@altlinux.ru X-BeenThere: community@altlinux.ru X-Mailman-Version: 2.0.9 Precedence: bulk Reply-To: community@altlinux.ru X-Reply-To: =?koi8-r?B?8M/Mz9fOycvP1yDkxc7J0w==?= List-Unsubscribe: , List-Id: List-Post: List-Help: List-Subscribe: , List-Archive: Archived-At: List-Archive: List-Post: Здравствуйте, Dmitry. Вы писали 27 февраля 2003 г., 11:35:51: Ман то tcpdump я читал и делал все понему тишина видимо конекта нет... DL> А FORWARD-правила где? А роутинг на этой машине включен? DL> Покажи результат: DL> # cat cat /proc/sys/net/ipv4/ip_forward Вывод следующий 1 в этом фаиле стоит только 1 DL> # service iptables save DL> # cat /etc/sysconfig/iptables # Generated by iptables-save v1.2.1a on Fri Jun 15 14:40:51 2001 *nat :PREROUTING ACCEPT [23:2866] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] [0:0] -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE [0:0] -A POSTROUTING -s 217.69.198.0/255.255.255.224 -o eth0 -j MASQUERADE [0:0] -A PREROUTING -p udp -m udp -d 217.69.198.58 --dport 5122 -j DNAT --to-destination 10.0.1.124 [0:0] -A OUTPUT -d 217.69.198.58 -p udp -m udp --dport 5122 -j DNAT --to-destination 10.0.1.124 COMMIT # Completed on Fri Jun 15 14:40:51 2001 # Generated by iptables-save v1.2.1a on Fri Jun 15 14:40:51 2001 *filter :INPUT ACCEPT [15:1688] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # make a chain for deny and log packets :droplog - [0:0] -A droplog -j LOG -A droplog -j DROP # accept trusted interfaces [0:0] -A INPUT -i lo -j ACCEPT [0:0] -A OUTPUT -o lo -j ACCEPT [4:463] -A INPUT -i eth1 -j ACCEPT [0:0] -A OUTPUT -o eth1 -j ACCEPT # allow ICMP [0:0] -A INPUT -p icmp -j ACCEPT [0:0] -A OUTPUT -p icmp -j ACCEPT # allow incoming SSH [0:0] -A INPUT -i eth0 -p tcp -m tcp --syn --dport 22 -j ACCEPT # allow incoming FIDO [0:0] -A INPUT -i eth0 -p tcp -m tcp --syn -d 217.69.198.30 --dport fido -j ACCEPT # allow incoming NETINV [0:0] -A INPUT -i eth0 -p tcp -m tcp --syn -d 217.69.198.58 --dport netinv -j ACCEPT # allow incoming symqs [0:0] -A INPUT -i eth0 -p tcp -m tcp --syn -d 217.69.198.58 --dport symqs -j ACCEPT # allow incoming binkp [0:0] -A INPUT -i eth0 -p tcp -m tcp --syn -d 217.69.198.30 --dport binkp -j ACCEPT # allow incoming SMTP #[0:0] -A INPUT -i eth0 -p tcp -m tcp --syn --dport smtp -j ACCEPT # allow incoming WWW #[0:0] -A INPUT -i eth0 -p tcp -m tcp --syn --dport www -j ACCEPT # allow incoming ftp [0:0] -A INPUT -i eth0 -p tcp -m tcp --syn --dport ftp -j ACCEPT # allow incoming ftp transfers in active mode [0:0] -A INPUT -i eth0 -p tcp -m tcp --syn --sport ftp-data -j ACCEPT # allow squid #[0:0] -A INPUT -i eth0 -p tcp -m tcp --syn --dport squid -j ACCEPT # allow zone transfers #[0:0] -A INPUT -i eth0 -p tcp -m tcp --syn --dport domain -j ACCEPT # allow outgoing TCP -A OUTPUT -o eth0 -p tcp -m tcp --syn -j ACCEPT # allow established and related connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # allow outgoing DNS -A INPUT -p udp -m udp --sport domain -j ACCEPT -i eth0 -A OUTPUT -p udp -m udp --dport domain -j ACCEPT -o eth0 # allow incoming reuter -A INPUT -p udp -m udp -d 217.69.198.30 --dport 55777 -j ACCEPT -A OUTPUT -p udp -m udp -d 217.69.198.30 --dport 55777 -j ACCEPT -A INPUT -p udp -m udp -d 217.69.198.58 --dport 5122 -j ACCEPT -A OUTPUT -p udp -m udp -d 217.69.198.58 --dport 5122 -j ACCEPT -A INPUT -p udp -m udp -d 217.69.198.30 --dport 55778 -j ACCEPT -A OUTPUT -p udp -m udp -d 217.69.198.30 --dport 55778 -j ACCEPT # allow incoming DNS #-A INPUT -p udp -m udp --dport domain -j ACCEPT -i eth0 #-A OUTPUT -p udp -m udp --sport domain -j ACCEPT -o eth0 # deny the rest of my traffic -A INPUT -i eth0 -j droplog -A OUTPUT -o eth0 -j droplog # allow ICMP forwarding -A FORWARD -p icmp -j ACCEPT # allow outgoing pop3 -A FORWARD -p tcp -m tcp --syn --dport pop3 -o eth0 -j ACCEPT -A FORWARD -p tcp -m tcp --syn --dport pop3s -o eth0 -j ACCEPT # allow outgoing smtp -A FORWARD -p tcp -m tcp --syn --dport smtp -o eth0 -j ACCEPT -A FORWARD -p tcp -m tcp --syn --dport smtps -o eth0 -j ACCEPT # allow outgoing ftp -A FORWARD -p tcp -m tcp --syn --dport ftp -o eth0 -j ACCEPT -A FORWARD -p tcp -m tcp --syn --dport ftp-data -o eth0 -j ACCEPT # allow outgoing ICQ -A FORWARD -p tcp -m tcp --syn --dport 5190 -o eth0 -j ACCEPT # allow outgoing 55 -A FORWARD -p tcp -m tcp --syn --dport 55 -o eth0 -j ACCEPT # allow special services #-A FORWARD -p tcp -m tcp --syn -d 10.0.1.5 --dport 60179 -j ACCEPT #-A FORWARD -p tcp -m tcp --syn -s 10.0.1.5 --dport 24554 -j ACCEPT #-A FORWARD -p tcp -m tcp --syn -d 10.0.1.5 --dport 24554 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.4 --dport 22 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.6 --dport 7001 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.6 --dport 2900 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.7 --dport 7001 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.7 --dport 7777 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.7 --dport 7090:7110 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.7 --dport 2900 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.7 --dport 55777 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.8 --dport 55777 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.8 --dport 7001 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.9 --dport 12801 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.115 --dport 4661 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.115 --dport 4662 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.124 --dport 4661 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.124 --dport 4662 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.115 --dport 27530 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.115 --dport 4665 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.115 --dport 22 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.10 --dport 22 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.115 --dport 3306 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.115 --dport 27005 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.115 --dport 27010 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.115 --dport 27011 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.115 --dport 27012 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.115 --dport 27015 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.115 --dport 27025 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.115 --dport 27017 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.115 --dport 5122 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.124 --dport 5122 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.124 --dport 1716 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.124 --dport 1717 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.124 --dport 1718 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.124 --dport 8777 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.124 --dport 27900 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.161 --dport 5122 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.161 --dport 21000 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.161 --dport 21001 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.161 --dport 21002 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.161 --dport 21003 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.124 --dport 7002 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.124 --dport 6003 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.124 --dport 20045 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.124 --dport 28900 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.115 --dport 7002 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.115 --dport 6003 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.124 --dport 6667 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.124 --dport 6666 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.161 --dport 6667 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.161 --dport 6666 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.10 --dport 21000 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.10 --dport 21001 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.10 --dport 21002 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.10 --dport 21003 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.10 --dport 80 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.10 --dport 443 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.10 --dport 2847 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.10 --dport 2848 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.10 --dport 7002 -j ACCEPT -A FORWARD -p tcp -m tcp --syn -s 10.0.1.10 --dport 6003 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.10 --dport 5122 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.10 --dport 27005 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.10 --dport 27010 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.10 --dport 27011 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.10 --dport 27012 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.10 --dport 27015 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.10 --dport 27025 -j ACCEPT -A FORWARD -p udp -m udp -s 10.0.1.10 --dport 27017 -j ACCEPT # allow outgoing DNS -A FORWARD -p udp -m udp --sport domain -j ACCEPT -i eth0 -A FORWARD -p udp -m udp --dport domain -j ACCEPT -o eth0 # allow established connections -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # deny the rest -A FORWARD -j droplog COMMIT # Completed on Fri Jun 15 14:40:51 2001 С уважением, Половников Денис