From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <greg@anastasia.ru>
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on sa.int.altlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham
	version=3.2.3
Date: Fri, 16 May 2008 22:25:08 +0400
From: Grigory Fateyev <greg@anastasia.ru>
To: sysadmins@lists.altlinux.org
Message-ID: <20080516222508.1286fec6@greg.dobroe.net>
In-Reply-To: <200805170003.22654.ripper.mail@gmail.com>
References: <20080516191510.34081638@greg.dobroe.net>
	<200805162332.54971.ripper.mail@gmail.com>
	<20080516214812.1575854d@greg.dobroe.net>
	<200805170003.22654.ripper.mail@gmail.com>
Organization: Anastasia.ru
X-Mailer: Claws Mail 2.10.0cvs81 (GTK+ 2.10.6; i586-alt-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=KOI8-R
Content-Transfer-Encoding: 8bit
Subject: Re: [Sysadmins] iptables rules DNAT ftp passive
X-BeenThere: sysadmins@lists.altlinux.org
X-Mailman-Version: 2.1.10b3
Precedence: list
Reply-To: ALT Linux sysadmin discuss <sysadmins@lists.altlinux.org>
List-Id: ALT Linux sysadmin discuss <sysadmins.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/listinfo/sysadmins>,
	<mailto:sysadmins-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/sysadmins>
List-Post: <mailto:sysadmins@lists.altlinux.org>
List-Help: <mailto:sysadmins-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/sysadmins>,
	<mailto:sysadmins-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Fri, 16 May 2008 18:25:21 -0000
Archived-At: <http://lore.altlinux.org/sysadmins/20080516222508.1286fec6@greg.dobroe.net/>
List-Archive: <http://lore.altlinux.org/sysadmins/>

Hello Starodumoff Ilya!
On Sat, 17 May 2008 00:03:22 +0600 you wrote:

> pasv_address=20.13.20.194
> 
> и подчистить forward надо бы... "кудряво как-то"... :)

Вроде ничего особенного...

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

$IPTABLES -A FORWARD -i $OVZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
$IPTABLES -A FORWARD -d $WEB1_VE -m state --state NEW -p tcp --dport 21
 -j ACCEPT $IPTABLES -A FORWARD -d $WEB1_VE -m state --state NEW -p \ 
tcp --dport 65000:65535 -j ACCEPT

$IPTABLES -A FORWARD -i $INET_IFACE -o $OVZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $OVZ_IFACE -o $INET_IFACE -j ACCEPT

# Routing VEs outside
$IPTABLES -A FORWARD -p all -s $OVZ_NET -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p all -d $OVZ_NET -i $INET_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT 
#$IPTABLES -A FORWARD -p all -s $OVZ_NET -j ACCEPT 
#$IPTABLES -A FORWARD -p all -d $OVZ_NET -j ACCEPT


-- 
Всего наилучшего! Григорий
greg [at] anastasia [dot] ru
Письмо отправлено: 2008/05/16 22:20