From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <raorn@immo.ru>
Date: Tue, 2 May 2006 10:04:00 +0400
From: "Alexey I. Froloff" <raorn@immo.ru>
To: ALT Linux Sisyphus <sisyphus@lists.altlinux.org>
Message-ID: <20060502060400.GH9795@immo.ru>
References: <20060501194904.GT9314@localhost>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="dMdWWqg3F2Dv/qfw"
Content-Disposition: inline
In-Reply-To: <20060501194904.GT9314@localhost>
User-Agent: Mutt/1.5.11
X-Virus-Scanned: amavisd-new at immo.ru
Subject: Re: [sisyphus] etcnet firewall
X-BeenThere: sisyphus@lists.altlinux.org
X-Mailman-Version: 2.1.7
Precedence: list
Reply-To: ALT Linux Sisyphus discussion list <sisyphus@lists.altlinux.org>
List-Id: ALT Linux Sisyphus discussion list <sisyphus.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/listinfo/sisyphus>,
	<mailto:sisyphus-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/sisyphus>
List-Post: <mailto:sisyphus@lists.altlinux.org>
List-Help: <mailto:sisyphus-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/sisyphus>,
	<mailto:sisyphus-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Tue, 02 May 2006 06:04:15 -0000
Archived-At: <http://lore.altlinux.org/sisyphus/20060502060400.GH9795@immo.ru/>
List-Archive: <http://lore.altlinux.org/sisyphus/>
List-Post: <mailto:sisyphus@altlinux.ru>


--dMdWWqg3F2Dv/qfw
Content-Type: multipart/mixed; boundary="y0Ed1hDcWxc3B7cn"
Content-Disposition: inline


--y0Ed1hDcWxc3B7cn
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* Alexey Tourbin <at@> [060501 23:48]:
> =F0=CF=C4=D3=CB=C1=D6=C9=D4=C5 =D0=CF=D6=C1=CC=D5=CA=D3=D4=C1, =CB=C1=CB =
=C2=D9=D3=D4=D2=CF =CE=C1=D3=D4=D2=CF=C9=D4=D8 "=D0=C5=D2=D3=CF=CE=C1=CC=D8=
=CE=D9=CA"
> firewall =C4=CC=D1 =D2=C1=C2=CF=DE=C5=CA =D3=D4=C1=CE=C3=C9=C9 (=D3 =CE=
=C1=D3=D4=CF=D1=DD=C9=CD ip-=C1=C4=D2=C5=D3=CF=CD).
> =E9=CE=D4=C5=D2=C5=D3=D5=C5=D4 reasonable defaults.  =E9=DA=D7=C9=CE=C9=
=D4=C5 =DA=C1 =CF=C6=C6=D4=CF=D0. :)
=E4=CC=D1 =CD=C5=CE=D1 =D4=C1=CB=C9=C5 defaults - =D7=D3=C5=C8 =D7=D9=D0=D5=
=D3=CB=C1=D4=D8, =CE=C9=CB=CF=C7=CF =CE=C5 =D7=D0=D5=D3=CB=C1=D4=D8.
=F3=CB=D2=C9=D0=D4 =C4=CC=D1 ADSL =D3=CF=C5=C4=C9=CE=C5=CE=C9=D1 =D7 =C1=D4=
=D4=C1=DE=C5.  =E9=DA "LAN" =D0=D5=D3=CB=C1=C5=CD =D4=CF=CC=D8=CB=CF =CE=C1=
=DB
ADSL =CD=CF=C4=C5=CD =CE=C1 NTP, =C9=DA =E2=CF=CC=D8=DB=CF=C7=CF =E9=CE=D4=
=C5=D2=CE=C5=D4=C1 =D4=CF=CC=D8=CB=CF ssh =C9 =CE=D5=D6=CE=D9=C5
icmp.

# sh fw-adsl.sh
# service iptables save
# chkconfig iptables on

--=20
Regards, Sir Raorn.
-------------------
> >=E9=DA =CB=C1=CB=CF=CA =CB=CF=D2=CF=C2=CB=C9 =D5 =D7=C1=D3 apt?
> =E9=DA hasher'=CF=D7=CF=CA, =D7=C5=D3=D4=C9=CD=CF.
=F7=D2=D1=C4 =CC=C9 =D7=D9 =C9=D3=D0=CF=CC=D8=DA=D5=C5=D4=C5 hasher =D7=CE=
=D5=D4=D2=C9 hasher'=C1.
		-- ldv in devel@

--y0Ed1hDcWxc3B7cn
Content-Type: application/x-sh
Content-Disposition: attachment; filename="fw-adsl.sh"
Content-Transfer-Encoding: quoted-printable

#!/bin/sh=0A=0AIPT=3D"/sbin/iptables"=0A=0Awan_if=3D"ppp+"=0Alan_if=3D"eth0=
"=0A=0Alan=3D"192.168.1.1"=0A=0Awan_to_me_allow_tcp=3D"22"=0Awan_to_me_allo=
w_udp=3D""=0A=0Aicmp_allow=3D"destination-unreachable redirect time-exceede=
d parameter-problem"=0A=0Achains=3D`cat /proc/net/ip_tables_names 2>/dev/nu=
ll`=0Afor i in $chains; do=0A	$IPT -t $i -F=0A	$IPT -t $i -X=0Adone=0A=0A$I=
PT -P INPUT DROP=0A$IPT -P FORWARD DROP=0A$IPT -P OUTPUT ACCEPT=0A=0A$IPT -=
A INPUT -i ! lo -p all -s 127.0.0.0/8 -j DROP=0A$IPT -A INPUT -i $wan_if -p=
 all -s 10.0.0.0/8 -j DROP=0A$IPT -A INPUT -i $wan_if -p all -s 172.16.0.0/=
12 -j DROP=0A$IPT -A INPUT -i $wan_if -p all -s 192.168.0.0/16 -j DROP=0A$I=
PT -A INPUT -i $lan_if -p all -s ! $lan -j DROP=0A=0A$IPT -A INPUT -m state=
 --state INVALID -j REJECT --reject-with "icmp-admin-prohibited"=0A$IPT -A =
INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT=0A=0A$IPT -A INPUT -i =
lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT=0A=0Aif [ -n "$icmp_allow" ]; then=
=0A	for type in $icmp_allow; do=0A		$IPT -A INPUT -p icmp --icmp-type $type=
 -j ACCEPT=0A	done=0Afi=0A=0Aif [ -n "$wan_to_me_allow_tcp" ]; then=0A	for =
port in $wan_to_me_allow_tcp; do=0A		$IPT -A INPUT -p tcp -i $wan_if --dpor=
t $port -j ACCEPT=0A	done=0Afi=0A=0Aif [ -n "$wan_to_me_allow_udp" ]; then=
=0A	for port in $wan_to_me_allow_udp; do=0A		$IPT -A INPUT -p udp -i $wan_i=
f --dport $port -j ACCEPT=0A	done=0Afi=0A=0A$IPT -A INPUT -i $lan_if -p udp=
 -s 192.168.1.1 -d 192.168.1.2 --dport 123 -j ACCEPT=0A
--y0Ed1hDcWxc3B7cn--

--dMdWWqg3F2Dv/qfw
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEVvZQVqT7+fkT8woRArDmAJ4nBtNElQnMcPy7Dezdp8d/1dc7ywCgtnys
gsjCjoA/0uYO2QM/hXchLtg=
=A7ed
-----END PGP SIGNATURE-----

--dMdWWqg3F2Dv/qfw--