[ myrmidon @ 25.03.2005. 14:19 ] @
|
| Postovani, potrebna mi je pomoc oko konfigurisanje mreze odnosno preciznije rutera.
Topologija mreze je data u slici u attachmentu.
Korisnici preko gateway-a pristupaju delovima postojece mreze (npr. printserver ili dowload) a ponekad se im dodeljuje i pristup internetu(isprekidana crvena linija).
Sistem je Debian(ali moze i neka druga distribucija) linuxa.
Potreban mi je primer kako da napravim ip tabele i kako da napravim ogranicenja pristupa na deo postojece mreze.
Puno pozdrava. |
[ Jbyn4e @ 25.03.2005. 14:53 ] @
A sto ne bi sam pogledao online konfigurisanje? Npr:
Da ovo instaliras kod tebe pa podesavas:
http://devzone.stealthp.org/cms/index.php?page=iptables-control
Da online gledas kako da podesis:
http://www.lowth.com/LinWiz/1.09/ServerFirewall/fw.pl/iptables
odnosno
http://www.lowth.com/LinWiz/1.09/
Ima ih sigurno jos, ali ja na ove naleteh...
[ NiGhT-BlAdE @ 27.03.2005. 01:08 ] @
Hmm... jednostavno pico imefajla i iskucash komande koje zatvaraju/otvaraju ili redirektuju odredjene adrese/portove ili Network interfejse i po porebi modifikujesh i snimash pod drugim nazivom... najlakshi nachin jednom sednesh uradish i posle samo sh imefajla i gotov posao :) naravno uvek odredi recimo jedan od tih da je default pri boot mashine :) ja sam tako odradio ... A recimo ogranichenje downloada sam odradio preko squida i sve shto stoji iza gateway ide preko njega... znachi da su svi ili ti vetjina http portova redirektovani na taj proxy.
[ myrmidon @ 27.03.2005. 21:04 ] @
Uz pomoc gore navedenih tutoriala sam nesto iskombinovao. Da li je scripta ispravna i dali ce gateway ovako raditi?(ovde jos nisam ubacio filtriranje nekih ip adresa).
Da li je masquerade za dinamicki dodeljene IP adrese ili ce raditi isa statickim?
Scripta:
#!/bin/bash
# ********************* Configuration variables ************************
# card which is connected to clients
Card1="eth1"
#card which is connected to internal network
Card2="eth0"
echo "Youre network configurations :"
echo " Card to clients :$Card1"
echo " Card to LAN: $Card2"
# *********************** testing for iptables *********************
# Modprobe iptables modules
echo "Probing modules :"
MODULES="ip_tables iptable_filter iptable_mangle iptable_nat ip_conntrack ipt_limit ipt_state ipt_LOG ipt_TCPMSS ipt_TOS"
echo "modprobe for $MODULES"
if [ -f /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]
then
/sbin/modprobe $MODULES
echo " passed"
else
echo " failed"
fi
# ********************** Firewall section ************************
echo "Firewall starting"
#rules apply to all interfaces
for interface in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1> $interface
done
#allow any packets that come into localhost without any filtering
iptables -A INPUT -i lo -j ACCEPT
#**************************************************************
#Deny all inbound access that isn't in response to one of our outbound connections
#This throws away the packet without informing the sender -->> nothing can get in
iptables -P INPUT DROP
#No machines can connect to your machine with TCP
iptables -A INPUT -p tcp ! --syn -j ACCEPT
#This will allow any DNS servers to reply to you
iptables -A INPUT -p udp --source-port 53 -j ACCEPT
#**************IP addresses to be most restrictive
# iptables -A INPUT --source ****DNS.SVR1.IP.ADDR**** -p udp --source-port 53 -j ACCEPT
# iptables -A INPUT --source ****DNS.SVR2.IP.ADDR**** -p udp --source-port 53 -j ACCEPT
# iptables -A INPUT --source ****DNS.SVR1.IP.ADDR**** -p tcp --source-port 53 -j ACCEPT
# iptables -A INPUT --source ****DNS.SVR2.IP.ADDR**** -p tcp --source-port 53 -j ACCEPT
#If your machine needs to get an IP address from the network using BOOTP or DHCP
# iptables -A INPUT -p udp --destination-port 68 -j ACCEPT
#lock down allowed ICMP packets
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type redirect -j ACCEPT
iptables -A INPUT -p icmp --icmp-type router-advertisement -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #prevent your machine from being pinged
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# ************************ gateway section ***********************
echo "Gateway starting .........."
echo 1 > /proc/sys/net/ipv4/ip_forward
# flushes all tables and chains on the machine.
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface $Card1 -j MASQUERADE
iptables --append FORWARD --in-interface $Card2 -j ACCEPT
# ********************** Logging *******************************
# Note: Enable this only at test period!!!!
iptables -A OUTPUT -j LOG
iptables -A FORWARD -j LOG
pozdrav.
[ NiGhT-BlAdE @ 28.03.2005. 09:25 ] @
DA da to sigurno radi :) evo ti moj masquerade, u principu ovde ti ne zavise IP adrese da li je statichka ili dinamichka radi se o Network interfejsima tj LAN karticama :) definishesh sa koje na koju da forwarduje net traffic
#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT
eth1 - Internet
eth0 - LAN mrezha/Klijenti
Copyright (C) 2001-2025 by www.elitesecurity.org. All rights reserved.