[ SlackList ] [ WkikiSlack ]



Re: ip publiczne na iptables

From: Tom <america1_malpka_o2.pl>
Date: Sun Feb 15 2004 - 22:49:36 CET

jeden facet mial tez taki problem ,  przytocze jego firewall w nim
zaznaczylem co mu brakowalo
wiec mysle ze ten SNAT DNAT i FORWARD masz dobrze
problem w routing?  podalem jak ma byc
moze firewall na kompie w LANie?

--------
#!/bin/sh
intip="192.168.0.1"
intnet="192.168.0.0/24"
extip="80.55.173.178"
extip2="80.55.173.179"
extip3="80.55.173.180"
intdev="eth0"
extdev="eth1"
echo="/bin/echo"
iptables="/sbin/iptables"

bocian="192.168.0.2"
demon="192.168.0.3"

##Ladowanie modulow
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

##Czyszczenie wszystkich regul
/sbin/iptables -F
/sbin/iptables -X

##ZAKAZ !!!
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP

##Odblokowanie "lo"
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

##Odblokowanie "eth0"
/sbin/iptables -A INPUT -i eth0 -m state --state ! INVALID -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -m state --state ! INVALID -j ACCEPT

##Odblokowanie "eth1"
#/sbin/iptables -A INPUT -i eth1 -m state --state ! INVALID -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -m state --state ! INVALID -j ACCEPT

$echo "1" > /proc/sys/net/ipv4/ip_forward
##############################
###     PUBLICZNY ADRES IP#####
##############################

$iptables -t nat -A POSTROUTING -s $bocian -j SNAT --to $extip2
$iptables -t nat -A PREROUTING -d $extip2 -j DNAT --to $bocian
$iptables -I FORWARD -s $extip2 -j ACCEPT
$iptables -I FORWARD -d $bocian -j ACCEPT

tutaj byl problem$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$44
> od bociana nie masz forwardingu,
> iptables -I FORWARD -s $bocian -j ACCEPT
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
#MASKARADA
$iptables -t nat -A POSTROUTING -o $extdev -j SNAT --to $extip


#################################
## Odblokowanie "INPUT" #
#################################
/sbin/iptables -A INPUT -p TCP -i eth1 -d 0/0 --dport 20 -m state --state !
INVALID -j ACCEPT
/sbin/iptables -A INPUT -p TCP -i eth1 -d 0/0 --dport 21 -m state --state !
INVALID -j ACCEPT
/sbin/iptables -A INPUT -p TCP -i eth1 -d 0/0 --dport 22 -m state --state !
INVALID -j ACCEPT
###################################
# ODblokowanie "OUTPUT"   #
###################################
/sbin/iptables -A INPUT -p TCP -i eth1 -d 0/0 --sport 20 -m state --state !
INVALID -j ACCEPT
/sbin/iptables -A INPUT -p TCP -i eth1 -d 0/0 --sport 21 -m state --state !
INVALID -j ACCEPT
/sbin/iptables -A INPUT -p TCP -i eth1 -d 0/0 --sport 22 -m state --state !
INVALID -j ACCEPT


######################
# INTERNET     #
######################
$iptables -A FORWARD -i $intdev -p tcp -s $demon200 --sport 1024: -m
state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $intdev -p udp -s $demon200 --sport 1024: -m
state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -o $intdev -p tcp -d $demon200  --dport 1024: -m
state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -o $intdev -p udp -d $demon200  --dport 1024: -m
state --state ESTABLISHED,RELATED -j ACCEPT
---------
Received on Sun Feb 15 23:47:35 2004

This archive was generated by hypermail 2.1.8. Wyprawa Shackleton 2014